CVE-2025-5520
📋 TL;DR
A reachable assertion vulnerability in Open5GS AMF/MME components allows remote attackers to cause denial of service by triggering assertion failures in authentication state handling functions. This affects Open5GS deployments up to version 2.7.3, potentially disrupting 5G/4G core network services.
💻 Affected Systems
- Open5GS
📦 What is this software?
Open5gs by Open5gs
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for affected AMF/MME components, disrupting 5G/4G network authentication services and potentially causing service outages for connected devices.
Likely Case
Service disruption or crashes of AMF/MME processes, requiring restart and causing temporary authentication failures for mobile devices.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery from service interruptions.
🎯 Exploit Status
Exploit code has been publicly disclosed in GitHub issues and attachments. Remote exploitation is possible without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 9f5d133657850e6167231527514ee1364d37a884 and later
Vendor Advisory: https://github.com/open5gs/open5gs/commit/9f5d133657850e6167231527514ee1364d37a884
Restart Required: Yes
Instructions:
1. Update Open5GS to latest version or apply commit 9f5d133657850e6167231527514ee1364d37a884
2. Recompile Open5GS from source
3. Restart AMF/MME services
4. Verify services are running correctly
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict network access to AMF/MME components to trusted sources only
iptables -A INPUT -p tcp --dport [AMF_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [AMF_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to AMF/MME interfaces
- Deploy monitoring and alerting for AMF/MME process crashes with automated restart capabilities
🔍 How to Verify
Check if Vulnerable:
Check Open5GS version: open5gs-amfd --version or examine source code for pre-patch versionsCheck Version:
open5gs-amfd --version 2>&1 | grep -i versionVerify Fix Applied:
Verify commit hash includes 9f5d133657850e6167231527514ee1364d37a884 or version is newer than 2.7.3📡 Detection & Monitoring
Log Indicators:
- AMF/MME process crashes
- Assertion failures in gmm_state_authentication or emm_state_authentication
- Unexpected authentication state transitions
Network Indicators:
- Unusual authentication request patterns to AMF/MME ports
- Multiple failed authentication attempts from single sources
SIEM Query:
process:name="open5gs-amfd" AND (event:contains="assertion" OR event:contains="crash")🔗 References
- https://github.com/open5gs/open5gs/commit/9f5d133657850e6167231527514ee1364d37a884
- https://github.com/open5gs/open5gs/issues/3910
- https://github.com/open5gs/open5gs/issues/3910#issuecomment-2926719317
- https://github.com/user-attachments/files/20362243/Problematic.handover.required.process.zip
- https://vuldb.com/?ctiid.310956
- https://vuldb.com/?id.310956
- https://vuldb.com/?submit.582269
- https://github.com/open5gs/open5gs/issues/3910
