CVE-2025-66786 Overview
CVE-2025-66786 is a Denial of Service (DoS) vulnerability affecting OpenAirInterface CN5G AMF (Access and Mobility Management Function) versions up to and including v2.0.1. The vulnerability stems from a logical error in the JSON request processing mechanism. Unauthorized remote attackers can exploit this flaw by sending specially crafted malicious JSON data to the AMF's Service-Based Interface (SBI), resulting in a denial-of-service condition.
Critical Impact
Remote attackers can disrupt 5G core network operations by exploiting improper input validation in the AMF component, potentially affecting mobile network availability.
Affected Products
- OpenAirInterface CN5G AMF version 2.0.1 and earlier
- 5G Core Network deployments using vulnerable AMF components
- Network environments exposing AMF SBI interface to untrusted networks
Discovery Timeline
- 2026-01-07 - CVE-2025-66786 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-66786
Vulnerability Analysis
This vulnerability is classified under CWE-20 (Improper Input Validation). The OpenAirInterface CN5G AMF component fails to properly validate JSON format requests received through its Service-Based Interface. When the AMF processes malformed or specially crafted JSON payloads, a logical error in the parsing routine causes the service to enter an unstable state, leading to denial of service.
The 5G Core Network AMF is a critical component responsible for handling access control, mobility management, and authentication for User Equipment (UE). A successful exploitation of this vulnerability could disrupt the core network's ability to manage connected devices, effectively denying service to legitimate users.
Root Cause
The root cause lies in improper input validation within the JSON parsing logic of the AMF's SBI handler. The logical error occurs when processing specific JSON structures, causing the application to fail to handle edge cases or malformed input gracefully. This allows unauthenticated attackers to trigger resource exhaustion or application crashes by submitting crafted JSON payloads.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker with network access to the AMF's SBI interface can remotely exploit this vulnerability by:
- Identifying an exposed AMF SBI endpoint (typically REST-based HTTP/2 interface)
- Crafting malicious JSON payloads designed to trigger the logical parsing error
- Sending the malformed requests to the AMF service
- Causing service disruption or complete denial of service
For technical details on the exploitation mechanism, refer to the GitHub PoC Repository documenting this vulnerability.
Detection Methods for CVE-2025-66786
Indicators of Compromise
- Abnormal volume of JSON requests targeting AMF SBI endpoints
- AMF service crashes or unexpected restarts correlating with external requests
- Malformed JSON payloads in network traffic to AMF interfaces
- Error logs indicating JSON parsing failures or exceptions
Detection Strategies
- Monitor AMF service health and availability for unexpected disruptions
- Implement network-level inspection for malformed JSON payloads targeting SBI endpoints
- Configure alerting on AMF process crashes or high restart frequency
- Deploy application-layer firewalls to inspect and filter malicious JSON content
Monitoring Recommendations
- Enable verbose logging on AMF SBI interfaces to capture request details
- Implement rate limiting on SBI endpoints to mitigate flood-based attacks
- Monitor network traffic patterns for anomalous request volumes to AMF services
- Use SentinelOne Singularity Platform to detect suspicious network activity and service disruptions
How to Mitigate CVE-2025-66786
Immediate Actions Required
- Restrict network access to AMF SBI interfaces using firewall rules
- Implement network segmentation to isolate 5G core components from untrusted networks
- Deploy Web Application Firewall (WAF) or API gateway to filter malformed JSON requests
- Monitor for updates from OpenAirInterface project for patched releases
Patch Information
At the time of publication, organizations should check the OpenAirInterface project for official security patches addressing this vulnerability. The GitHub PoC Repository provides additional technical context that may assist in understanding the scope of required fixes.
Workarounds
- Implement strict access control lists (ACLs) limiting SBI interface access to trusted network segments
- Deploy rate limiting on AMF endpoints to mitigate DoS attack effectiveness
- Use reverse proxy with JSON validation to reject malformed requests before reaching AMF
- Consider deploying AMF in a high-availability configuration to maintain service during attack attempts
# Example: Restrict AMF SBI access using iptables
# Allow only trusted network segments to access AMF SBI port (typically 80/443)
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
