{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44473/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["core (\u003c 1.10.0)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","5G","downlink redirection","CVE-2026-44473"],"_cs_type":"threat","_cs_vendors":["ellanetworks"],"content_html":"\u003cp\u003eElla Core, a component in 5G networks, is vulnerable to a downlink redirection attack. A radio with a valid NG Setup can exploit this vulnerability by sending a forged PDUSessionResourceSetupResponse containing the AMF-UE-NGAP-ID of a target UE. The vulnerability, identified as CVE-2026-44473, lies in the core\u0026rsquo;s failure to verify that the forged message arrived on the SCTP association bound to the UE\u0026rsquo;s logical NG-connection. This allows a malicious radio to create a GTP tunnel to itself, redirecting downlink traffic intended for the targeted UE. This vulnerability affects versions prior to 1.10.0. Defenders need to implement proper checks and validations on the SCTP association to prevent unauthorized traffic redirection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a radio with valid NG Setup credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the AMF-UE-NGAP-ID of a target UE.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a forged PDUSessionResourceSetupResponse message, using the targeted UE\u0026rsquo;s AMF-UE-NGAP-ID.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the forged PDUSessionResourceSetupResponse message to the Ella Core.\u003c/li\u003e\n\u003cli\u003eDue to the missing verification of the SCTP association, Ella Core processes the forged message.\u003c/li\u003e\n\u003cli\u003eElla Core establishes a GTP tunnel towards the attacker\u0026rsquo;s radio based on the forged message.\u003c/li\u003e\n\u003cli\u003eDownlink user-plane traffic intended for the targeted UE is routed to the attacker\u0026rsquo;s radio.\u003c/li\u003e\n\u003cli\u003eThe attacker can now intercept and potentially manipulate the redirected downlink traffic.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to redirect downlink user-plane traffic for a targeted UE to a rogue radio. This can lead to eavesdropping on user communications, data theft, or other malicious activities. The number of affected users depends on the scale of the attacker\u0026rsquo;s operation. Sectors utilizing 5G networks are at risk. If successful, attackers can gain unauthorized access to sensitive data transmitted over the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Ella Core to version 1.10.0 or later to patch CVE-2026-44473, as described in the overview.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect suspicious PDUSessionResourceSetupResponse messages originating from unexpected SCTP associations, as this behavior would be detected by the Sigma rule \u0026ldquo;Detect Forged PDUSessionResourceSetupResponse from Unassociated SCTP\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eEnforce strict validation of SCTP associations for all UE context lookups to prevent the processing of forged messages as detailed in the fix description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T15:19:38Z","date_published":"2026-05-11T15:19:38Z","id":"https://feed.craftedsignal.io/briefs/2026-05-ella-core-downlink-redirection/","summary":"Ella Core is vulnerable to UE downlink redirection (CVE-2026-44473) due to missing SCTP association verification, enabling a malicious radio to forge a PDUSessionResourceSetupResponse and redirect downlink traffic.","title":"Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse (CVE-2026-44473)","url":"https://feed.craftedsignal.io/briefs/2026-05-ella-core-downlink-redirection/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44473","version":"https://jsonfeed.org/version/1.1"}