How is CVE-2026-25657 exploited?

Network reachability (info): The attacker must be on an adjacent network (local network, LAN, or VPN segment) to reach the PCG service; remote internet-based exploitation is not possible with this vector. Authentication (not-required): No credentials or prior authentication are needed; any unauthenticated party on the adjacent network can send the malformed messages. Victim interaction (not-required): The attack is entirely attacker-driven and requires no action from a legitimate user or administrator. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, specific memory layouts, or environmental prerequisites are required beyond adjacency.

What is the impact of CVE-2026-25657?

The targeted PCG service degrades or crashes continuously while the attack is in progress, disrupting all packet core gateway functions it handles. Legitimate network traffic processed by the PCG is dropped or delayed for the full duration of the attack. Service availability returns to normal once the attacker stops sending malformed messages, but no self-healing occurs during an active attack.

Back to search

HIGHCVE-2026-25657Published 2026-06-05Modified 2026-06-05CNA ERIC

CVE-2026-25657: Ericsson Packet Core Gateway (PCG) - Improper Handling of Syntactically Invalid Structure Vulnerability

Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 1.30
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper handling of syntactically invalid structure vulnerability affects Ericsson Packet Core Gateway (PCG) versions prior to 1.30. An unauthenticated attacker on an adjacent network can repeatedly send specially crafted malformed messages to the gateway, causing continuous service degradation for as long as the attack persists. The service recovers once the attack stops, but availability is fully disrupted during an active campaign. A patched-image rebuild at version 1.30 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle PCG components. Any image running a PCG version below 1.30 is flagged immediately.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the CVSS v4.0 vector and weights the finding against each environment's compliance policy to determine urgency and routing. The finding is directed to the appropriate inbox within each customer organization based on configured team and severity rules.

Available

Patch

A patched-image rebuild at PCG version 1.30 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard triggers an automated rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be on an adjacent network (local network, LAN, or VPN segment) to reach the PCG service; remote internet-based exploitation is not possible with this vector.
AuthenticationNot required
No credentials or prior authentication are needed; any unauthenticated party on the adjacent network can send the malformed messages.
Victim interactionNot required
The attack is entirely attacker-driven and requires no action from a legitimate user or administrator.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, specific memory layouts, or environmental prerequisites are required beyond adjacency.

Blast Radius

The targeted PCG service degrades or crashes continuously while the attack is in progress, disrupting all packet core gateway functions it handles.
Legitimate network traffic processed by the PCG is dropped or delayed for the full duration of the attack.
Service availability returns to normal once the attacker stops sending malformed messages, but no self-healing occurs during an active attack.

How HarborGuard Handles This

Available on HarborGuard: images running Ericsson PCG below version 1.30 are flagged automatically at ingest, scored at 7.1 HIGH, and routed according to each environment's compliance policy. Where auto-remediation is enabled, a rebuilt image at version 1.30 is prepared, a regression test run is triggered, and a pull request is opened against affected workloads, with a median time to merged patch PR of around 90 minutes for high-severity issues. For environments where auto-remediation is not enabled, the finding appears in the triage queue with the fix version noted, allowing teams to initiate a manual rebuild at version 1.30. In the interim, network-policy controls that restrict adjacency to the PCG service (such as tightened VLAN segmentation or VPN access controls) can reduce exposure by limiting which hosts can send traffic to the affected port.

See how HarborGuard automates this

Fix available

1.30

Affected packages

Ericsson / Packet Core Gateway (PCG)
< 1.30 (from 0)

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

ericsson.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available