Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
AnalysisAI
Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade telecom packet core service by continuously sending a specially crafted message that triggers improper handling of missing values (CWE-230). The condition persists only while the attack is sustained - the system self-recovers once traffic stops - and no public exploit identified at time of analysis, but the CVSS 4.0 score of 7.1 reflects high availability impact on a carrier-grade network function.
Technical ContextAI
PCG is Ericsson's cloud-native 5G packet core element that combines SMF (Session Management Function) and UPF (User Plane Function) roles for subscriber session handling and user-plane traffic forwarding in mobile operator networks. The root cause is CWE-230 (Improper Handling of Missing Values), meaning a parser or message handler does not safely cope with a field that is absent or null in an inbound protocol message, leading it to crash rather than reject the malformed input. Because PCG sits on the operator's signaling/transport network (consistent with the AV:A 'adjacent network' attack vector), the offending message must reach an internal control or user-plane interface rather than the public internet.
RemediationAI
Upgrade Ericsson Packet Core Gateway to version 1.30 or later, which is the vendor-released patch identified in the Ericsson PSIRT advisory at https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25659. If immediate upgrade is not feasible in a maintenance window, compensating controls focus on shrinking the adjacent-network attack surface: restrict signaling and N3/N4/N6 interface reachability to known peer NF (Network Function) IP ranges via firewall ACLs at the data-center fabric, enforce IPsec/TLS mutual authentication on inter-NF traffic where supported (limits message origination to authenticated peers but adds CPU overhead), and enable rate limiting on the affected ingress interface to blunt the sustained-traffic requirement (may drop legitimate bursty signaling during peaks). Monitor PCG process restart counts and N4/PFCP error metrics as a detective control until the patch is deployed.
Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5
The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that a
The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Rated critical severity (CVSS
In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file
The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and th
In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is v
Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs. Rated high severity (CVSS
XSS exists in Ericsson Active Library Explorer (ALEX) 14.3 in multiple parameters in the "/cgi-bin/alexserv" servlet, as
Open redirect vulnerability in the 3PI Manager in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 all
In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vul
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS v
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via
Same weakness CWE-230 – Improper Handling of Missing Values
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34823
GHSA-pg3r-xmvg-gj6m