CVE-2025-41067 – A reachable assertion vulnerability in Open5GS ... (How to Fix)

Q: What is the severity of CVE-2025-41067?

CVE-2025-41067 has a CVSS score of 7.5 (HIGH). A reachable assertion vulnerability in Open5GS NRF (Network Repository Function) allows attackers with network connectivity to send a specific SBI request that deletes the NRF's own registry, causing the NRF process to crash. This results in denial of service, rendering the discovery service unavailable. Affected are Open5GS deployments up to version 2.7.6 where the NRF is exposed to untrusted networks.

📋 TL;DR

A reachable assertion vulnerability in Open5GS NRF (Network Repository Function) allows attackers with network connectivity to send a specific SBI request that deletes the NRF's own registry, causing the NRF process to crash. This results in denial of service, rendering the discovery service unavailable. Affected are Open5GS deployments up to version 2.7.6 where the NRF is exposed to untrusted networks.

💻 Affected Systems

Products:

Open5GS

Versions: Up to and including version 2.7.6

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only deployments with NRF component enabled and accessible via network are affected. The vulnerability requires the attacker to have network connectivity to the NRF's SBI interface.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of the NRF discovery service, disrupting 5G core network operations and preventing new devices from registering or discovering network functions.

🟠

Likely Case

Intermittent NRF service disruption requiring manual restart of the NRF process, causing temporary service degradation for 5G network functions.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing unauthorized access to the NRF interface.

🌐 Internet-Facing: HIGH - The NRF's SBI interface is typically network-accessible and the exploit requires only network connectivity, making internet-facing deployments particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal deployments are still vulnerable to insider threats or compromised internal systems, but attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending a specific SBI request to delete the NRF's own registry, which triggers the assertion failure. No authentication is required beyond network access to the NRF interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.7.7 or later

Vendor Advisory: https://open5gs.org/open5gs/release/2025/07/19/release-v2.7.6.html

Restart Required: Yes

Instructions:

1. Download Open5GS version 2.7.7 or later from the official repository. 2. Stop all Open5GS services. 3. Install the updated version following the official installation guide. 4. Restart all Open5GS services. 5. Verify the NRF is running and responding to requests.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to the NRF's SBI interface using firewall rules to only allow connections from trusted network functions.

iptables -A INPUT -p tcp --dport <NRF_PORT> -s <TRUSTED_IP_RANGE> -j ACCEPT
iptables -A INPUT -p tcp --dport <NRF_PORT> -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate the NRF from untrusted networks and systems.
Deploy network monitoring and intrusion detection to alert on suspicious SBI requests targeting the NRF.

🔍 How to Verify

Check if Vulnerable:

Check the Open5GS version by examining the installed package or running the NRF binary with version flag. If version is 2.7.6 or earlier, the system is vulnerable.

Check Version:

open5gs-nrfd --version

Verify Fix Applied:

After patching, verify the NRF service is running and test with legitimate SBI requests. Check that the version reported is 2.7.7 or later.

📡 Detection & Monitoring

Log Indicators:

NRF process crash logs
Assertion failure messages in NRF logs
Unexpected SBI DELETE requests targeting NRF's own registry

Network Indicators:

SBI DELETE requests to NRF endpoint from unauthorized sources
Sudden drop in NRF service availability

SIEM Query:

source="open5gs-nrf.log" AND ("assertion failed" OR "crash" OR "abort")

📊 Metadata

CVE ID: CVE-2025-41067

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

EPSS Score: 0.06% exploit probability (18.5th percentile)

Published: October 27, 2025

Last Updated: October 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-41067, you might also want to check these: