CVE-2025-70121 Overview
An array index out of bounds vulnerability exists in the AMF (Access and Mobility Management Function) component of free5GC v4.0.1 that allows remote attackers to cause a denial of service. The vulnerability is triggered via a crafted 5GS Mobile Identity in a NAS Registration Request message. When exploited, the issue causes a runtime panic in the GetSUCI method within NAS_MobileIdentity5GS.go, occurring when the code attempts to access index 5 of a 5-element array, ultimately crashing the AMF component.
Critical Impact
Remote attackers can crash the AMF component of 5G core networks without authentication, causing denial of service to mobile network subscribers.
Affected Products
- free5GC v4.0.1
- AMF component (NAS_MobileIdentity5GS.go)
- 5G core network deployments using affected free5GC versions
Discovery Timeline
- 2026-02-13 - CVE CVE-2025-70121 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-70121
Vulnerability Analysis
This vulnerability represents an Out-of-Bounds Read (CWE-125) condition in the free5GC open-source 5G core network implementation. The flaw resides specifically in the AMF component, which handles access and mobility management functions critical to 5G network operations.
The vulnerability occurs when processing NAS (Non-Access Stratum) Registration Request messages containing a malformed 5GS Mobile Identity field. The affected GetSUCI method in NAS_MobileIdentity5GS.go fails to properly validate array boundaries before accessing elements, allowing an attacker to trigger an out-of-bounds array access.
When exploited, the Go runtime detects the invalid array index access (attempting to access index 5 of a zero-indexed 5-element array) and triggers a panic, causing the entire AMF process to crash. This results in a denial of service condition affecting all users relying on that AMF instance for network registration and mobility services.
Root Cause
The root cause is insufficient bounds checking in the GetSUCI method when parsing the 5GS Mobile Identity field from incoming NAS messages. The code assumes the Mobile Identity data will always contain the expected number of elements without validating the actual array length before indexing. When a crafted message provides fewer elements than expected, the code attempts to access an array index that does not exist, resulting in a runtime panic.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication or privileges. An attacker sends a specially crafted NAS Registration Request message to the AMF component containing a malformed 5GS Mobile Identity field. The message is processed by the GetSUCI method, which attempts to extract SUCI (Subscription Concealed Identifier) information from the identity field. Due to the missing bounds check, accessing an invalid array index causes the Go runtime to panic, crashing the AMF service.
The vulnerability mechanism involves malformed NAS Registration Request messages targeting the 5GS Mobile Identity parsing logic. When the GetSUCI method processes these messages without proper validation, it attempts to access array index 5 in what should be a 5-element array (indices 0-4), causing an immediate runtime panic. For additional technical details, see the GitHub Issue Discussion.
Detection Methods for CVE-2025-70121
Indicators of Compromise
- Unexpected AMF process crashes or restarts in free5GC deployments
- Runtime panic logs in AMF component referencing NAS_MobileIdentity5GS.go or GetSUCI method
- Spike in NAS Registration Request messages with malformed 5GS Mobile Identity fields
- Service degradation or unavailability for 5G network registration services
Detection Strategies
- Monitor AMF process stability and implement alerting for unexpected crashes or restarts
- Implement deep packet inspection for NAS protocol messages, flagging Registration Requests with abnormally short or malformed Mobile Identity fields
- Deploy log analysis rules to detect Go runtime panic messages from the AMF component
- Use network traffic anomaly detection to identify unusual patterns in NAS signaling traffic
Monitoring Recommendations
- Configure health checks for the AMF service with automatic alerting on service interruption
- Implement centralized logging for all 5G core components with specific filters for runtime errors
- Monitor system metrics (CPU, memory, process state) for the AMF component to detect crash/restart cycles
- Track NAS message statistics to baseline normal behavior and detect anomalous registration patterns
How to Mitigate CVE-2025-70121
Immediate Actions Required
- Review the free5GC GitHub issue for updated patch information and apply fixes when available
- Implement network-level filtering to validate NAS message structure before reaching the AMF component
- Deploy redundant AMF instances with automatic failover to minimize service disruption from crashes
- Consider temporarily restricting network access to the AMF component from untrusted sources
Patch Information
The vulnerability has been reported to the free5GC project via their GitHub issue tracker. Organizations running free5GC v4.0.1 should monitor the GitHub Issue Discussion for official patches and upgrade to a fixed version when available. Until a patch is released, implementing compensating controls is strongly recommended.
Workarounds
- Deploy a network proxy or firewall capable of inspecting and validating NAS message structure, rejecting malformed 5GS Mobile Identity fields
- Implement process supervision with automatic restart capabilities to minimize downtime if a crash occurs
- Use rate limiting on NAS Registration Requests to slow down potential denial of service attacks
- Consider isolating the 5G core network from untrusted network segments to reduce the attack surface
The mitigation strategy involves implementing NAS message validation at the network layer. Configuration examples will depend on your specific network infrastructure and security tools. Organizations should work with their network security teams to implement appropriate filtering rules that validate 5GS Mobile Identity field structure before allowing messages to reach the AMF component.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
