CVE-2025-70121
📋 TL;DR
A remote array index out-of-bounds vulnerability in free5GC's AMF component allows attackers to crash the AMF service via specially crafted 5GS Mobile Identity in NAS Registration Request messages. This causes denial of service to 5G core network functions. Organizations running free5GC v4.0.1 in production are affected.
💻 Affected Systems
- free5GC
📦 What is this software?
Free5gc by Free5gc
⚠️ Risk & Real-World Impact
Worst Case
Complete AMF service crash leading to widespread 5G service disruption, preventing new device registrations and potentially affecting existing connections.
Likely Case
Targeted AMF crashes causing localized service denial for affected network segments or subscribers.
If Mitigated
Minimal impact with proper network segmentation, rate limiting, and monitoring in place to detect and block malicious traffic.
🎯 Exploit Status
Exploitation requires sending crafted NAS Registration Request messages but does not require authentication. The vulnerability is straightforward to trigger once the packet format is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.0.2 or later
Vendor Advisory: https://github.com/free5gc/free5gc/issues/747
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update free5GC to v4.0.2 or later using git pull or package update. 3. Rebuild the AMF component. 4. Restart the AMF service.
🔧 Temporary Workarounds
Network Filtering
allImplement network filtering to block or rate limit NAS Registration Request messages from untrusted sources.
AMF Restart Monitoring
allDeploy automated monitoring to detect and restart crashed AMF instances.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate AMF components from untrusted networks
- Deploy intrusion detection systems to monitor for abnormal NAS Registration Request patterns
🔍 How to Verify
Check if Vulnerable:
Check if running free5GC v4.0.1 by examining the version in configuration files or running 'free5gc version' command.Check Version:
free5gc version || grep version /path/to/free5gc/config/*.yamlVerify Fix Applied:
Verify installation of v4.0.2 or later and test with valid NAS Registration Request messages to ensure AMF remains stable.📡 Detection & Monitoring
Log Indicators:
- AMF panic logs mentioning 'index out of range' in NAS_MobileIdentity5GS.go
- Unexpected AMF service restarts
- Error logs related to GetSUCI method
Network Indicators:
- Unusual volume of NAS Registration Request messages
- Malformed 5GS Mobile Identity fields in network captures
SIEM Query:
source="free5gc" AND ("panic" OR "out of range" OR "AMF crash")