CVE-2025-63679
📋 TL;DR
A buffer overflow vulnerability in free5gc AMF component allows remote attackers to crash the AMF process by sending a specially crafted UplinkRANConfigurationTransfer NGAP message. This affects all free5gc deployments up to version 4.1.0 that have AMF exposed to gNBs. The crash causes denial of service for 5G core network functions.
💻 Affected Systems
- free5gc
📦 What is this software?
Free5gc by Free5gc
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete compromise of the AMF component and potentially the entire free5gc deployment, with attacker gaining control over 5G core network functions.
Likely Case
Denial of service causing AMF process crashes, disrupting 5G network connectivity and preventing new device registrations or handovers.
If Mitigated
Temporary service disruption until AMF process restarts, with potential data loss for in-flight transactions.
🎯 Exploit Status
The GitHub issue contains technical details and the gist shows exploitation patterns. Attack only requires sending a malformed NGAP message to the AMF NGAP interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.1.1 or later
Vendor Advisory: https://github.com/free5gc/free5gc/issues/725
Restart Required: Yes
Instructions:
1. Update free5gc to version 4.1.1 or later. 2. Stop all free5gc components. 3. Pull latest code from repository. 4. Rebuild and redeploy AMF component. 5. Restart all free5gc services.
🔧 Temporary Workarounds
Network segmentation and filtering
linuxRestrict NGAP traffic to only trusted gNBs using firewall rules
iptables -A INPUT -p sctp --dport 38412 -s [trusted_gNB_IP] -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate AMF from untrusted gNBs
- Deploy intrusion detection systems to monitor for malformed NGAP messages and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check free5gc version: if version <= 4.1.0 and AMF is running, system is vulnerableCheck Version:
cd /path/to/free5gc && git describe --tagsVerify Fix Applied:
Verify free5gc version is 4.1.1 or later and test with valid UplinkRANConfigurationTransfer messages📡 Detection & Monitoring
Log Indicators:
- AMF process crashes or segmentation faults in logs
- Unexpected termination of amf process
- Error messages related to NGAP message parsing
Network Indicators:
- Unusual NGAP message patterns from gNBs
- Multiple connection attempts with malformed SCTP packets
- Spike in AMF restart events
SIEM Query:
source="free5gc.logs" AND ("segmentation fault" OR "panic" OR "amf crashed")