CVE-2025-70123 – A protocol compliance vulnerability in free5GC'... (How to Fix)

Q: What is the severity of CVE-2025-70123?

CVE-2025-70123 has a CVSS score of 7.5 (HIGH). A protocol compliance vulnerability in free5GC's UPF component allows remote attackers to send malformed PFCP Association Setup Requests that violate 3GPP standards. This causes the UPF to enter an inconsistent state where subsequent legitimate PFCP Session Establishment Requests trigger cascading failures, disrupting SMF connections and causing service degradation. Organizations running free5GC v4.0.1 in 5G core networks are affected.

📋 TL;DR

A protocol compliance vulnerability in free5GC's UPF component allows remote attackers to send malformed PFCP Association Setup Requests that violate 3GPP standards. This causes the UPF to enter an inconsistent state where subsequent legitimate PFCP Session Establishment Requests trigger cascading failures, disrupting SMF connections and causing service degradation. Organizations running free5GC v4.0.1 in 5G core networks are affected.

💻 Affected Systems

Products:

free5GC

Versions: v4.0.1

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using the UPF component. Requires PFCP protocol access to the UPF interface.

📦 What is this software?

Free5gc by Free5gc

View all CVEs affecting Free5gc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service across the 5G core network, disrupting all user plane traffic and potentially affecting multiple network slices and services.

🟠

Likely Case

Service degradation affecting specific network slices or user groups, with intermittent connectivity issues and potential service disruptions.

🟢

If Mitigated

Limited impact to isolated UPF instances with proper network segmentation and monitoring in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires knowledge of PFCP protocol and ability to send malformed packets to UPF interface. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.0.2 or later

Vendor Advisory: https://github.com/free5gc/free5gc/issues/745

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update free5GC to v4.0.2 or later using git pull or package update. 3. Restart UPF service. 4. Verify PFCP association functionality.

🔧 Temporary Workarounds

Network ACL Restriction

Linux

Restrict PFCP traffic to trusted sources only using network access controls

iptables -A INPUT -p udp --dport 8805 -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate UPF from untrusted networks
Deploy network monitoring for abnormal PFCP traffic patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check free5GC version: free5gc version | grep 'free5GC UPF'

Check Version:

free5gc version

Verify Fix Applied:

Verify version is v4.0.2 or later and test PFCP association with valid/malformed requests

📡 Detection & Monitoring

Log Indicators:

UPF crash logs
PFCP association failures
SMF connection disruptions
Error messages about malformed PFCP packets

Network Indicators:

Unusual PFCP traffic patterns
Multiple PFCP Association Setup Requests from single source
Protocol violations in PFCP traffic

SIEM Query:

source="free5gc-upf.log" AND ("malformed" OR "protocol violation" OR "association failure")

📊 Metadata

CVE ID: CVE-2025-70123

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

EPSS Score: 0.1% exploit probability (28.5th percentile)

Published: February 13, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/free5gc/free5gc/issues/745 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70123, you might also want to check these: