CVE-2025-65805
📋 TL;DR
OpenAirInterface CN5G AMF versions up to v2.1.9 have a buffer overflow vulnerability when processing NAS messages with overly long IMSI strings. Unauthorized remote attackers can cause denial-of-service or potentially execute arbitrary code by sending malicious packets to port N1. This affects 5G core network deployments using vulnerable OpenAirInterface AMF components.
💻 Affected Systems
- OpenAirInterface CN5G AMF
📦 What is this software?
Oai Cn5g Amf by Openairinterface
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete compromise of the AMF component, potentially allowing lateral movement within the 5G core network.
Likely Case
Denial-of-service causing AMF service disruption, affecting 5G network availability for connected devices.
If Mitigated
Service disruption limited to the affected AMF instance if proper network segmentation and monitoring are in place.
🎯 Exploit Status
The vulnerability is in a publicly documented component with clear trigger conditions (IMSI > 1000 characters).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.2.0 or later
Vendor Advisory: https://github.com/OPENAIRINTERFACE/openair-cn5g-amf
Restart Required: Yes
Instructions:
1. Update OpenAirInterface CN5G AMF to version v2.2.0 or later. 2. Restart the AMF service. 3. Verify the service is running correctly.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to AMF port N1 (typically 38412) using firewall rules to only allow connections from trusted sources.
iptables -A INPUT -p tcp --dport 38412 -s <trusted_ip_range> -j ACCEPT
iptables -A INPUT -p tcp --dport 38412 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate AMF components from untrusted networks.
- Deploy intrusion detection systems to monitor for anomalous NAS message patterns.
🔍 How to Verify
Check if Vulnerable:
Check AMF version using the software's version command or configuration files. If version is <= v2.1.9 and port N1 is exposed, the system is vulnerable.Check Version:
Check the AMF configuration file or run the AMF binary with --version flag if available.Verify Fix Applied:
Confirm AMF version is v2.2.0 or later and test with a legitimate NAS message to ensure service functionality.📡 Detection & Monitoring
Log Indicators:
- AMF logs showing processing errors for NAS messages
- Unusually large IMSI strings in authentication logs
- AMF service crash or restart events
Network Indicators:
- Unusual traffic patterns to port 38412
- NAS messages with IMSI fields exceeding normal length (typically 15 digits)
SIEM Query:
source="amf.log" AND ("buffer overflow" OR "IMSI length" > 1000 OR "service crash")