CVE-2025-70123 Overview
CVE-2025-70123 is an improper input validation vulnerability [CWE-20] in free5GC v4.0.1, an open-source 5G core network implementation. The User Plane Function (UPF) accepts a malformed Packet Forwarding Control Protocol (PFCP) Association Setup Request in violation of 3GPP TS 29.244. This protocol non-compliance places the UPF in an inconsistent state. A subsequent valid PFCP Session Establishment Request then triggers a cascading failure that disrupts the Session Management Function (SMF) connection and degrades service. Remote attackers can exploit this flaw over the network without authentication to cause a denial of service condition.
Critical Impact
Unauthenticated remote attackers can crash the free5GC UPF-SMF control plane channel, causing service degradation across the 5G core network.
Affected Products
- free5GC v4.0.1
- User Plane Function (UPF) component
- Session Management Function (SMF) connection paths dependent on the affected UPF
Discovery Timeline
- 2026-02-13 - CVE-2025-70123 published to the National Vulnerability Database
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-70123
Vulnerability Analysis
The vulnerability resides in how free5GC's UPF processes PFCP Association Setup Requests. PFCP is the protocol defined in 3GPP TS 29.244 that governs communication between the SMF and UPF in a 5G core network. The UPF fails to enforce protocol compliance checks on incoming Association Setup Requests. When the UPF receives a malformed message, it accepts the request rather than rejecting it. This leaves internal state machines in an inconsistent configuration. A legitimate PFCP Session Establishment Request that arrives afterward interacts with this corrupted state, producing a cascading fault. The fault propagates to the SMF connection and disrupts session management across the network slice serving subscribers.
Root Cause
The root cause is missing input validation [CWE-20] on PFCP signaling messages. The UPF does not enforce mandatory information element checks required by 3GPP TS 29.244. Accepting non-compliant messages corrupts the session context tracking inside the UPF.
Attack Vector
An attacker with network reachability to the PFCP interface (typically the N4 reference point) sends a single crafted Association Setup Request. No authentication or user interaction is required. The malformed message is the trigger, and any subsequent valid session establishment completes the denial of service chain. Operators exposing the N4 interface beyond a controlled network segment face higher risk.
No public proof-of-concept or exploit code is currently published. The vulnerability mechanics are documented in the free5GC GitHub issue tracker.
Detection Methods for CVE-2025-70123
Indicators of Compromise
- Unexpected PFCP Association Setup Requests on the N4 interface from unknown source addresses.
- UPF logs showing accepted Association Setup messages followed by SMF disconnection events or session establishment failures.
- Sudden drops in active PDU sessions correlated with PFCP signaling anomalies.
Detection Strategies
- Inspect PFCP traffic for messages that violate 3GPP TS 29.244 mandatory information element requirements.
- Correlate UPF state transitions with SMF heartbeat failures to identify cascading control plane disruption.
- Baseline normal PFCP message rates and alert on out-of-pattern Association Setup attempts.
Monitoring Recommendations
- Enable verbose logging on free5GC UPF and SMF components for the N4 interface.
- Forward PFCP control plane telemetry to a centralized data lake for protocol-level analysis.
- Track subscriber session establishment success rates as a leading indicator of UPF instability.
How to Mitigate CVE-2025-70123
Immediate Actions Required
- Restrict access to the N4 interface to trusted SMF instances using network segmentation and access control lists.
- Monitor the free5GC GitHub issue for patch availability and apply fixes once released.
- Audit deployments running free5GC v4.0.1 and isolate test or lab environments from production traffic.
Patch Information
At the time of publication, no fixed version has been confirmed in the NVD record. Track the upstream free5GC repository for commits referencing PFCP Association Setup validation and 3GPP TS 29.244 compliance.
Workarounds
- Deploy a PFCP-aware firewall or protocol validator in front of the UPF to drop malformed Association Setup Requests.
- Enforce mutual authentication and IPsec on the N4 interface to limit exposure to untrusted peers.
- Implement rate limiting on PFCP control plane messages to reduce the impact of repeated malformed requests.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

