CVE-2025-63288 – Open5GS AMF crashes when receiving a malformed ... (How to Fix)

Q: What is the severity of CVE-2025-63288?

CVE-2025-63288 has a CVSS score of 7.5 (HIGH). Open5GS AMF crashes when receiving a malformed NGSetupRequest message, causing denial of service for 5G core network users. This affects all deployments running vulnerable versions of Open5GS, potentially disrupting mobile network connectivity.

📋 TL;DR

Open5GS AMF crashes when receiving a malformed NGSetupRequest message, causing denial of service for 5G core network users. This affects all deployments running vulnerable versions of Open5GS, potentially disrupting mobile network connectivity.

💻 Affected Systems

Products:

Open5GS

Versions: 2.7.6 and possibly earlier versions

Operating Systems: Linux, BSD-based systems

Default Config Vulnerable: ⚠️ Yes

Notes: All Open5GS deployments with AMF component enabled are vulnerable

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete AMF service outage, disrupting 5G network registration and mobility management for all users in affected area

🟠

Likely Case

Intermittent AMF crashes requiring manual restart, causing service disruptions and potential data loss

🟢

If Mitigated

Limited impact with proper monitoring and automated recovery mechanisms in place

🌐 Internet-Facing: MEDIUM - NG interface may be exposed to untrusted networks in some deployments

🏢 Internal Only: HIGH - Even internal attackers or misconfigured network elements can trigger the crash

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending specially crafted NGSetupRequest message to AMF interface

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.7 or apply commit be765fe2b03e350836272eee5afb3931bdfb86d5

Vendor Advisory: https://github.com/open5gs/open5gs/issues/4087

Restart Required: Yes

Instructions:

1. Update Open5GS to version 2.7.7 or later. 2. Apply the specific commit if using custom build. 3. Restart AMF service. 4. Verify AMF is running and accepting connections.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to AMF NG interface to trusted gNB elements only

iptables -A INPUT -p sctp --dport 38412 -s trusted_gNB_ip -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP

🧯 If You Can't Patch

Implement rate limiting on AMF interface to prevent rapid exploitation
Deploy AMF redundancy with automatic failover to minimize service disruption

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version: open5gs-amfd --version. If version is 2.7.6 or earlier, system is vulnerable.

Check Version:

open5gs-amfd --version

Verify Fix Applied:

After patching, verify AMF service remains running after receiving normal NGSetupRequest traffic

📡 Detection & Monitoring

Log Indicators:

AMF process crash/restart logs
Unexpected NGSetupRequest messages
Segmentation fault in AMF logs

Network Indicators:

Abnormal SCTP packets to port 38412
Repeated NGSetupRequest messages from single source

SIEM Query:

source="open5gs-amf.log" AND ("segmentation fault" OR "crash" OR "abnormal NGSetupRequest")

📊 Metadata

CVE ID: CVE-2025-63288

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.06% exploit probability (17.2th percentile)

Published: November 10, 2025

Last Updated: December 11, 2025

🔗 References

https://github.com/open5gs/open5gs/commit/be765fe2b03e350836272eee5afb3931bdfb86d5 Patch
https://github.com/open5gs/open5gs/issues/4087 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63288, you might also want to check these: