CVE-2025-29632
📋 TL;DR
A buffer overflow vulnerability in Free5gc v4.0.0 allows remote attackers to cause denial of service by sending specially crafted messages to the AMF component. This affects organizations running vulnerable versions of the free5gc 5G core network software.
💻 Affected Systems
- free5gc
📦 What is this software?
Free5gc by Free5gc
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of the 5G core network AMF component, potentially affecting subscriber connectivity and network operations.
Likely Case
AMF service crash requiring restart, causing temporary service interruption for affected subscribers.
If Mitigated
Controlled restart of affected component with minimal service impact if monitoring and redundancy are in place.
🎯 Exploit Status
Public PoC available on GitHub, exploitation requires network access to AMF component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.1 or later
Vendor Advisory: https://github.com/free5gc/free5gc/issues/657
Restart Required: Yes
Instructions:
1. Update free5gc to version 4.0.1 or later. 2. Restart all free5gc components. 3. Verify AMF component is running correctly.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict network access to AMF component to trusted sources only
iptables -A INPUT -p tcp --dport 38412 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 38412 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit AMF exposure
- Deploy monitoring and alerting for AMF service restarts
🔍 How to Verify
Check if Vulnerable:
Check free5gc version: free5gc version | grep '4.0.0'Check Version:
free5gc versionVerify Fix Applied:
Verify version is 4.0.1 or later: free5gc version📡 Detection & Monitoring
Log Indicators:
- AMF service crashes
- Unexpected AMF restarts
- Memory allocation errors in AMF logs
Network Indicators:
- Unusual traffic patterns to AMF port 38412
- Large NAS messages to AMF
SIEM Query:
source="free5gc.logs" AND ("AMF crash" OR "panic" OR "segmentation fault")