Primary

Context

Open5GS Reachable Assertion Vulnerability in amf_ue_set_suci Function Allowing Denial-of-Service

Vulnerability

A reachable assertion vulnerability has been identified in the Open5GS 5G Access and Mobility Management Function (AMF) versions through 2.6.4. The vulnerability arises in the amf_ue_set_suci function, where a malformed SUCI (Subscription Concealed Identifier) within a NAS (Non-Access Stratum) 5GMM (5G Mobility Management) message can lead to a parsing error. This error causes the assertion to be triggered, resulting in a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the AMF, disrupting all cellular communications managed by the affected AMF instance.

Reproduction

To reproduce this vulnerability, send a crafted NAS 5GMM message containing a malformed SUCI to the Open5GS AMF. This can be done over the N2 interface, which is accessible to remote attackers.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

8.0

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

8.0

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open5GS Reachable Assertion Vulnerability in amf_ue_set_suci Function Allowing Denial-of-Service

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Open5GS

Magma

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating