Login Sign Up

CVE-2025-5935

5.3 MEDIUM
Denial of Service

📋 TL;DR

A denial-of-service vulnerability in Open5GS AMF/MME component allows remote attackers to crash the service by manipulating the ran_ue_id argument in the common_register_state function. This affects Open5GS deployments up to version 2.7.3. The vulnerability can be exploited remotely without authentication.

💻 Affected Systems

Products:
  • Open5GS
Versions: Up to and including 2.7.3
Operating Systems: Linux, Unix-based systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using the AMF/MME component. Core network deployments are vulnerable if exposed to untrusted traffic.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of the AMF/MME component, potentially affecting mobile network connectivity for all users served by the vulnerable instance.

🟠

Likely Case

Service crashes requiring manual restart, causing temporary service outages and potential call/session drops.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code has been publicly disclosed in GitHub issues and attachments. Attack requires network access to the AMF/MME interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: After commit 62cb99755243c9c38e4c060c5d8d0e158fe8cdd5

Vendor Advisory: https://github.com/open5gs/open5gs/commit/62cb99755243c9c38e4c060c5d8d0e158fe8cdd5

Restart Required: Yes

Instructions:

1. Update Open5GS to latest version or apply commit 62cb99755243c9c38e4c060c5d8d0e158fe8cdd5. 2. Rebuild from source if using source installation. 3. Restart all AMF/MME services.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to AMF/MME interfaces to trusted networks only

iptables -A INPUT -p tcp --dport <AMF_PORT> -s <TRUSTED_NETWORK> -j ACCEPT
iptables -A INPUT -p tcp --dport <AMF_PORT> -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure to AMF/MME interfaces
  • Deploy monitoring and automated restart mechanisms to detect and recover from crashes

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version: open5gs-mmed --version. If version is 2.7.3 or earlier, system is vulnerable.

Check Version:

open5gs-mmed --version

Verify Fix Applied:

Verify commit 62cb99755243c9c38e4c060c5d8d0e158fe8cdd5 is present in git log or version is newer than 2.7.3.

📡 Detection & Monitoring

Log Indicators:

  • AMF/MME service crashes
  • Unexpected termination of mmed process
  • Error logs mentioning common_register_state or ran_ue_id

Network Indicators:

  • Unusual traffic patterns to AMF/MME ports
  • Multiple connection attempts with malformed RAN UE IDs

SIEM Query:

process_name:"open5gs-mmed" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2025-5935
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-404
EPSS Score: 0.42% exploit probability (61.5th percentile)
Published: June 10, 2025
Last Updated: August 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5935, you might also want to check these:

CVE-2025-38385 7.8

This CVE describes a kernel warning triggered during USB device disconnection in the Linux kernel's ...

Same vulnerability type (CWE-404)
CVE-2022-23033 7.8

This Xen hypervisor vulnerability on ARM systems allows guest virtual machines to retain access to m...

Same vulnerability type (CWE-404)
CVE-2021-0984 7.8

This vulnerability in Android 12 allows local privilege escalation without user interaction. An inco...

Same vulnerability type (CWE-404)