Open5GS, Denial of Service (DoS), CVE-2025-25774 (Critical)

By /

Listen to this Post

How the CVE Works

CVE-2025-25774 exploits a race condition in Open5GS v2.7.2’s AMF (Access and Mobility Management Function) during UE (User Equipment) handovers between gNBs (next-generation NodeBs). When a UE sends a handover request at a precise moment during state transition, the AMF’s internal state machine fails to handle concurrent requests, triggering an unhandled exception. This crashes the AMF, disrupting core network services and causing a DoS condition. The vulnerability stems from improper synchronization in the AMF’s session management logic, allowing malformed handover sequences to bypass sanity checks.

DailyCVE Form:

Platform: Open5GS
Version: 2.7.2
Vulnerability: AMF state machine crash
Severity: Critical
Date: 04/29/2025

What Undercode Say:

Exploitation Analysis:

  1. Triggering the Crash: Crafted handover requests must coincide with AMF state transitions.
  2. Payload Example: Use a UE simulator to rapidly switch gNBs while flooding handover requests.
  3. Impact: AMF process termination, disrupting all attached UEs.

Detection Commands:

Check AMF crash logs in Open5GS:
journalctl -u open5gs-amfd | grep "state_machine" -A 5
Monitor AMF process stability:
ps aux | grep amf | awk '{print $2, $11}' | grep -v "grep"

Mitigation Steps:

  1. Patch: Upgrade to Open5GS v2.7.3+ with AMF state machine fixes.
  2. Workaround: Rate-limit handover requests per UE via AMF configuration: 
    open5gs-amf.yaml
handover:
max_requests_per_ue: 5
timeout_ms: 1000

Exploit Code Snippet (PoC):

import socket
import time
def send_malformed_handover(amf_ip):
while True:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(b"\x00\x01\xff\xff", (amf_ip, 38412)) Fake handover payload
time.sleep(0.01) Trigger race condition

Protection Code (AMF Sanity Check):

// Patch for AMF state machine (pseudo-code)
void handle_handover(request) {
lock_state_machine(); // Prevent concurrent access
if (request->ue_state != VALID) {
log_error("Invalid UE state");
return;
}
unlock_state_machine();
}

Analytics:

  • Attack Vector: Network-adjacent, no authentication required.
  • Complexity: Low (exploitable with basic UE emulation).
  • CVSS 4.0: 9.1 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top