CVE-2025-25774 – This vulnerability in Open5GS allows attackers ... (How to Fix)

📋 TL;DR

This vulnerability in Open5GS allows attackers to cause a denial of service by triggering a crash in the AMF component during specific handover scenarios. Attackers can disrupt 5G network services by exploiting an exception in the AMF's internal state machine. This affects organizations running vulnerable versions of Open5GS in their 5G core networks.

💻 Affected Systems

Products:

Open5GS

Versions: v2.7.2 and potentially earlier versions

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with AMF component enabled and using handover functionality between gNBs.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete AMF service disruption leading to loss of 5G connectivity for all users served by the affected AMF instance, potentially cascading to other network functions.

🟠

Likely Case

Temporary AMF crash requiring manual restart, causing service interruption for users during handover operations.

🟢

If Mitigated

Minimal impact with proper monitoring and automated recovery mechanisms in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific timing during UE handover between gNBs, but detailed technical analysis is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 2e68706f1eea029d5172ccad946e78b352c031d0

Vendor Advisory: https://github.com/open5gs/open5gs/issues/3671

Restart Required: Yes

Instructions:

1. Update Open5GS to latest version or apply commit 2e68706f1eea029d5172ccad946e78b352c031d0
2. Recompile and reinstall Open5GS
3. Restart AMF service
4. Verify fix with test handover scenarios

🔧 Temporary Workarounds

Rate limit handover requests

linux

Implement rate limiting on handover requests to reduce likelihood of triggering the timing condition

# Configure rate limiting in AMF configuration
# Example: Set max_handover_requests_per_second in amf.yaml

Disable handover functionality

linux

Temporarily disable handover between gNBs if not critically required

# Set handover_enabled: false in AMF configuration

🧯 If You Can't Patch

Implement network segmentation to isolate AMF from untrusted traffic sources
Deploy redundant AMF instances with load balancing to maintain service during crashes

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version and verify if commit 2e68706f1eea029d5172ccad946e78b352c031d0 is not applied

Check Version:

open5gs-amfd --version

Verify Fix Applied:

Test handover scenarios between gNBs and monitor AMF stability, check that commit 2e68706f1eea029d5172ccad946e78b352c031d0 is present

📡 Detection & Monitoring

Log Indicators:

AMF crash logs
Unexpected AMF process termination
Handover request errors in AMF logs
State machine exception messages

Network Indicators:

Unusual handover request patterns
Multiple failed handover attempts from same UE
AMF service unavailability alerts

SIEM Query:

source="amf.log" AND ("crash" OR "exception" OR "handover error")

📊 Metadata

CVE ID: CVE-2025-25774

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-691

EPSS Score: 0.08% exploit probability (23th percentile)

Published: March 12, 2025

Last Updated: April 29, 2025

🔗 References

https://github.com/guoweifk/BugReport/blob/main/Open5GS%20AMF%20Denial%20of%20Service%20via%20GMM%20State%20Handling%20in%20Handover Exploit,Third Party Advisory
https://github.com/open5gs/open5gs/commit/2e68706f1eea029d5172ccad946e78b352c031d0 Patch
https://github.com/open5gs/open5gs/issues/3671 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25774, you might also want to check these: