CVE-2025-1893 – A denial-of-service vulnerability in Open5GS AM... (How to Fix)

Q: What is the severity of CVE-2025-1893?

CVE-2025-1893 has a CVSS score of 4.3 (MEDIUM). A denial-of-service vulnerability in Open5GS AMF component allows a single malicious UE to crash the AMF service by exploiting the gmm_state_authentication function. This causes complete loss of mobility and session management services, affecting all registered UEs and blocking new registrations until AMF restart. Organizations running Open5GS AMF up to version 2.7.2 are affected.

📋 TL;DR

A denial-of-service vulnerability in Open5GS AMF component allows a single malicious UE to crash the AMF service by exploiting the gmm_state_authentication function. This causes complete loss of mobility and session management services, affecting all registered UEs and blocking new registrations until AMF restart. Organizations running Open5GS AMF up to version 2.7.2 are affected.

💻 Affected Systems

Products:

Open5GS

Versions: up to 2.7.2

Operating Systems: All platforms running Open5GS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the AMF (Access and Mobility Management Function) component specifically. All deployments using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Network-wide outage where all registered UEs lose connectivity, new registrations are blocked, and mobility/session management services are completely unavailable until AMF restart.

🟠

Likely Case

Targeted DoS attack causing service disruption for all users on affected AMF, requiring manual intervention to restore service.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring allowing quick detection and isolation of malicious UE.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication, potentially from any internet-connected UE.

🏢 Internal Only: MEDIUM - Internal malicious UE or compromised device could still trigger the vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed in GitHub issues. The vulnerability requires minimal technical skill to exploit as it involves sending specific malformed packets to trigger the crash.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit e31e9965f00d9c744a7f728497cb4f3e97744ee8 and later

Vendor Advisory: https://github.com/open5gs/open5gs/commit/e31e9965f00d9c744a7f728497cb4f3e97744ee8

Restart Required: Yes

Instructions:

1. Backup current Open5GS configuration
2. Update Open5GS to version after commit e31e9965f00d9c744a7f728497cb4f3e97744ee8
3. Apply the specific patch if not updating to latest version
4. Restart AMF service
5. Verify service functionality

🔧 Temporary Workarounds

Rate limiting UE connections

all

Implement rate limiting on AMF to prevent single UE from sending excessive authentication requests

# Configure rate limiting in Open5GS AMF configuration
# Example: Set max authentication attempts per UE per time window

Network segmentation and filtering

linux

Isolate AMF from untrusted networks and implement packet filtering

# Use firewall rules to restrict access to AMF
# Example: iptables -A INPUT -p sctp --dport 38412 -s trusted_network -j ACCEPT

🧯 If You Can't Patch

Implement strict UE authentication and monitoring to detect malicious behavior patterns
Deploy redundant AMF instances with load balancing to maintain service if one instance crashes

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version and verify if commit e31e9965f00d9c744a7f728497cb4f3e97744ee8 is applied

Check Version:

open5gs-amfd --version || grep 'version' /usr/local/etc/open5gs/amf.yaml

Verify Fix Applied:

Verify AMF service remains stable when receiving authentication requests and check that commit e31e9965f00d9c744a7f728497cb4f3e97744ee8 is present in git log

📡 Detection & Monitoring

Log Indicators:

AMF service crash logs
Repeated authentication failures from single UE
AMF process termination without normal shutdown

Network Indicators:

Unusual spike in authentication requests from single source
AMF service becoming unresponsive to legitimate requests

SIEM Query:

source="amf.log" AND ("crash" OR "segmentation fault" OR "authentication failure" count by src_ip > threshold)

📊 Metadata

CVE ID: CVE-2025-1893

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-404

EPSS Score: 0.11% exploit probability (29.2th percentile)

Published: March 4, 2025

Last Updated: March 6, 2025

🔗 References

https://github.com/open5gs/open5gs/commit/e31e9965f00d9c744a7f728497cb4f3e97744ee8 Patch
https://github.com/open5gs/open5gs/issues/3707 Exploit,Issue Tracking
https://github.com/open5gs/open5gs/issues/3707#issue-2833194192 Exploit,Issue Tracking
https://github.com/open5gs/open5gs/issues/3707#issuecomment-2639620554 Exploit,Issue Tracking
https://vuldb.com/?ctiid.298411 Permissions Required
https://vuldb.com/?id.298411 Exploit,Third Party Advisory
https://vuldb.com/?submit.505952 Third Party Advisory
https://github.com/open5gs/open5gs/issues/3707#issue-2833194192 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1893, you might also want to check these: