Primary

Context

Open5GS Reachable Assertion Vulnerability in mme_ue_find_by_imsi Function Allowing Denial-of-Service

Vulnerability

A reachable assertion vulnerability has been identified in the Open5GS 5G core implementation, specifically in versions through 2.6.4. The issue arises in the 'mme_ue_find_by_imsi' function, where a malformed NAS packet can lead to a denial-of-service condition. This vulnerability can be exploited by sending a crafted Initial UE Message that triggers the assertion failure, causing the server to crash.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the Open5GS server to crash and disrupt cellular communications.

Reproduction

To reproduce this vulnerability, send an 'Initial UE Message' S1AP packet with a zero-length IMSI field to the Open5GS AMF. This can be done by establishing a connection to the AMF and transmitting the crafted packet over the N2 interface.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

9.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

9.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open5GS Reachable Assertion Vulnerability in mme_ue_find_by_imsi Function Allowing Denial-of-Service

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Open5GS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating