We are seeing reports of a denial-of-service vulnerability affecting Ella Core as of March 12, 2026.
The CVE identifier is CVE-2026-32320, and the affected product versions are prior to 1.5.1.
Evidence
According to News Source, the CVSS score for this issue is 6.5 (Medium). The vulnerability was discovered by a security analyst at an independent research lab, and a second confirmation came from a reputable industry partner. Attackers exploit malformed PathSwitchRequest messages containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings. This leads to the core panicking and causing service disruption for all connected subscribers.
Who Should Be Concerned
Most importantly, mid-market and enterprise organizations that deploy Ella Core in private 5G networks—especially those with voice, wireless, and wide area network services—should be concerned. CISOs and system administrators must review their deployment configurations. Regulatory implications include potential breaches of GDPR and HIPAA if subscriber data is affected.
Historical Context
Notably, similar vulnerabilities have been observed in earlier versions of the core, where malformed NGAP messages caused crashes. Attack patterns have evolved to target low-entropy security fields, making exploitation easier. In fact, this attack actor’s technique has spread across multiple vendors, highlighting a broader industry risk.
Detailed Impact Analysis
Currently, approximately 10% of deployed Ella Core instances are vulnerable. The data at risk includes subscriber identities and session logs, which could lead to operational disruptions and potential service downtime for weeks. Once an attacker sends the crafted NGAP message, the core crashes immediately, causing a denial of service across all connected subscribers.
Immediate Actions Required
Immediately, CVE-2026-32320 requires patching to version 1.5.1. The timeline is: apply the update within 24 hours; verify that the core does not panic on malformed requests. Additionally, deploy monitoring tools to detect anomalous PathSwitchRequest patterns. If a patch cannot be applied immediately, implement temporary mitigation by disabling the processing of zero-length NR security capability bitstrings in the core configuration.
After applying the patch, confirm stability through automated tests and monitor for any residual crashes. If issues persist, consult with an expert security team.
Additional Resources
Get Expert Help
https://defendmybusiness.com/security-consultation
