Description
Ella Core is a 5G core designed for private networks. Prior to 1.10.0, a radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio. This vulnerability is fixed in 1.10.0.
Published: 2026-05-27
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A radio equipped with a valid NG Setup can send a forged PDUSessionResourceSetupResponse that carries any UE's AMF-UE-NGAP-ID. Ella Core does not verify that the message arrived on the SCTP association bound to the target UE’s logical NG‑connection, and consequently it creates a GTP tunnel toward that radio. The flaw allows an attacker to create a rogue GTP tunnel which can redirect or intercept user traffic. The weakness is a failure to verify the source of a critical control message (CWE‑358) and improper handling of identifiers (CWE‑863).

Affected Systems

Ella Core, a 5G core platform developed by Ellanetworks. All deployments running a version prior to 1.10.0 are impacted, as the vulnerability is fixed in 1.10.0 and later releases. The vulnerability concerns the radio interface of the core, not the network element’s operating system.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity potential impact on confidentiality, integrity, or availability. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, which suggests it is not currently a widely exploited vulnerability. The attack vector is remote, requiring an attacker to act as a radio that can transmit forged messages over the NG interface. Successful exploitation could allow the attacker to redirect user traffic, perform man‑in‑the‑middle attacks, or gain unauthorized access to user data. The lack of an official workaround means the only reliable mitigation is to upgrade to the patched version.

Generated by OpenCVE AI on May 27, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ella Core to version 1.10.0 or newer.
  • Reconfigure the network to restrict the acceptance of PDUSessionResourceSetupResponse messages to authenticated radios only.
  • Continuously monitor core logs for anomalous GTP tunnel creations and unauthorized PDUSessionResourceSetupResponse traffic.

Generated by OpenCVE AI on May 27, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qfxw-v8qx-vj3v Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse
History

Thu, 28 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Ellanetworks
Ellanetworks core
Vendors & Products Ellanetworks
Ellanetworks core

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Ella Core is a 5G core designed for private networks. Prior to 1.10.0, a radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio. This vulnerability is fixed in 1.10.0.
Title Ella Core: UE Downlink Redirection via Forged PDUSessionResourceSetupResponse
Weaknesses CWE-358
CWE-863
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Subscriptions

Ellanetworks Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T15:16:05.261Z

Reserved: 2026-05-06T17:18:51.782Z

Link: CVE-2026-44473

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-27T17:16:39.070

Modified: 2026-05-27T20:03:09.937

Link: CVE-2026-44473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses