Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70121

CVE-2025-70121: Free5gc DoS Vulnerability via AMF Crash

CVE-2025-70121 is a denial of service flaw in Free5gc v4.0.1 AMF component caused by an array index out of bounds error. Attackers can crash the AMF via crafted NAS messages. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-70121 Overview

An array index out of bounds vulnerability exists in the AMF (Access and Mobility Management Function) component of free5GC v4.0.1 that allows remote attackers to cause a denial of service. The vulnerability is triggered via a crafted 5GS Mobile Identity in a NAS Registration Request message. When exploited, the issue causes a runtime panic in the GetSUCI method within NAS_MobileIdentity5GS.go, occurring when the code attempts to access index 5 of a 5-element array, ultimately crashing the AMF component.

Critical Impact

Remote attackers can crash the AMF component of 5G core networks without authentication, causing denial of service to mobile network subscribers.

Affected Products

  • free5GC v4.0.1
  • AMF component (NAS_MobileIdentity5GS.go)
  • 5G core network deployments using affected free5GC versions

Discovery Timeline

  • 2026-02-13 - CVE CVE-2025-70121 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2025-70121

Vulnerability Analysis

This vulnerability represents an Out-of-Bounds Read (CWE-125) condition in the free5GC open-source 5G core network implementation. The flaw resides specifically in the AMF component, which handles access and mobility management functions critical to 5G network operations.

The vulnerability occurs when processing NAS (Non-Access Stratum) Registration Request messages containing a malformed 5GS Mobile Identity field. The affected GetSUCI method in NAS_MobileIdentity5GS.go fails to properly validate array boundaries before accessing elements, allowing an attacker to trigger an out-of-bounds array access.

When exploited, the Go runtime detects the invalid array index access (attempting to access index 5 of a zero-indexed 5-element array) and triggers a panic, causing the entire AMF process to crash. This results in a denial of service condition affecting all users relying on that AMF instance for network registration and mobility services.

Root Cause

The root cause is insufficient bounds checking in the GetSUCI method when parsing the 5GS Mobile Identity field from incoming NAS messages. The code assumes the Mobile Identity data will always contain the expected number of elements without validating the actual array length before indexing. When a crafted message provides fewer elements than expected, the code attempts to access an array index that does not exist, resulting in a runtime panic.

Attack Vector

The attack can be executed remotely over the network without requiring any authentication or privileges. An attacker sends a specially crafted NAS Registration Request message to the AMF component containing a malformed 5GS Mobile Identity field. The message is processed by the GetSUCI method, which attempts to extract SUCI (Subscription Concealed Identifier) information from the identity field. Due to the missing bounds check, accessing an invalid array index causes the Go runtime to panic, crashing the AMF service.

The vulnerability mechanism involves malformed NAS Registration Request messages targeting the 5GS Mobile Identity parsing logic. When the GetSUCI method processes these messages without proper validation, it attempts to access array index 5 in what should be a 5-element array (indices 0-4), causing an immediate runtime panic. For additional technical details, see the GitHub Issue Discussion.

Detection Methods for CVE-2025-70121

Indicators of Compromise

  • Unexpected AMF process crashes or restarts in free5GC deployments
  • Runtime panic logs in AMF component referencing NAS_MobileIdentity5GS.go or GetSUCI method
  • Spike in NAS Registration Request messages with malformed 5GS Mobile Identity fields
  • Service degradation or unavailability for 5G network registration services

Detection Strategies

  • Monitor AMF process stability and implement alerting for unexpected crashes or restarts
  • Implement deep packet inspection for NAS protocol messages, flagging Registration Requests with abnormally short or malformed Mobile Identity fields
  • Deploy log analysis rules to detect Go runtime panic messages from the AMF component
  • Use network traffic anomaly detection to identify unusual patterns in NAS signaling traffic

Monitoring Recommendations

  • Configure health checks for the AMF service with automatic alerting on service interruption
  • Implement centralized logging for all 5G core components with specific filters for runtime errors
  • Monitor system metrics (CPU, memory, process state) for the AMF component to detect crash/restart cycles
  • Track NAS message statistics to baseline normal behavior and detect anomalous registration patterns

How to Mitigate CVE-2025-70121

Immediate Actions Required

  • Review the free5GC GitHub issue for updated patch information and apply fixes when available
  • Implement network-level filtering to validate NAS message structure before reaching the AMF component
  • Deploy redundant AMF instances with automatic failover to minimize service disruption from crashes
  • Consider temporarily restricting network access to the AMF component from untrusted sources

Patch Information

The vulnerability has been reported to the free5GC project via their GitHub issue tracker. Organizations running free5GC v4.0.1 should monitor the GitHub Issue Discussion for official patches and upgrade to a fixed version when available. Until a patch is released, implementing compensating controls is strongly recommended.

Workarounds

  • Deploy a network proxy or firewall capable of inspecting and validating NAS message structure, rejecting malformed 5GS Mobile Identity fields
  • Implement process supervision with automatic restart capabilities to minimize downtime if a crash occurs
  • Use rate limiting on NAS Registration Requests to slow down potential denial of service attacks
  • Consider isolating the 5G core network from untrusted network segments to reduce the attack surface

The mitigation strategy involves implementing NAS message validation at the network layer. Configuration examples will depend on your specific network infrastructure and security tools. Organizations should work with their network security teams to implement appropriate filtering rules that validate 5GS Mobile Identity field structure before allowing messages to reach the AMF component.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.