CVE-2025-70123 Overview
An improper input validation and protocol compliance vulnerability in free5GC v4.0.1 allows remote attackers to cause a denial of service. The User Plane Function (UPF) incorrectly accepts a malformed PFCP Association Setup Request, violating 3GPP TS 29.244 specifications. This places the UPF in an inconsistent state where a subsequent valid PFCP Session Establishment Request triggers a cascading failure, disrupting the SMF connection and causing service degradation across the 5G core network.
Critical Impact
Remote attackers can exploit this vulnerability to disrupt 5G network services by sending malformed PFCP packets, potentially causing widespread service outages in mobile network infrastructure deployments using free5GC.
Affected Products
- free5GC version 4.0.1
- free5GC User Plane Function (UPF) component
- 5G core network deployments utilizing free5GC
Discovery Timeline
- 2026-02-13 - CVE-2025-70123 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-70123
Vulnerability Analysis
This vulnerability stems from improper input validation in the free5GC User Plane Function (UPF) when processing PFCP (Packet Forwarding Control Protocol) messages. The UPF fails to properly validate incoming PFCP Association Setup Requests against the mandatory requirements defined in 3GPP TS 29.244, the technical specification governing PFCP protocol behavior in 5G networks.
When the UPF receives a malformed PFCP Association Setup Request that does not conform to protocol specifications, it incorrectly accepts the request instead of rejecting it. This acceptance places the UPF into an inconsistent internal state. The vulnerability becomes fully exploitable when a subsequent, legitimately formed PFCP Session Establishment Request is processed while the UPF remains in this corrupted state.
The cascading failure that results from this sequence disrupts the connection between the UPF and the Session Management Function (SMF), which is responsible for session management in the 5G core. This disruption causes service degradation affecting user plane traffic handling capabilities.
Root Cause
The root cause is a CWE-20 (Improper Input Validation) deficiency in the PFCP message parsing and validation logic within the free5GC UPF component. The implementation does not enforce strict compliance with 3GPP TS 29.244 protocol specifications, allowing malformed messages to be processed and alter internal state management. The validation routines fail to verify mandatory Information Elements (IEs) and their proper formatting before accepting association setup requests.
Attack Vector
The vulnerability is exploitable remotely over the network without requiring authentication or user interaction. An attacker with network access to the PFCP interface (typically UDP port 8805) can craft and send malformed PFCP Association Setup Request messages to the target UPF.
The attack follows a two-stage exploitation pattern:
Initial Corruption Stage: The attacker sends a malformed PFCP Association Setup Request that violates 3GPP TS 29.244 requirements. Due to insufficient validation, the UPF accepts this request and enters an inconsistent state.
Triggering Stage: A subsequent valid PFCP Session Establishment Request—which could originate from legitimate SMF operations or be sent by the attacker—triggers the cascading failure while the UPF is in the corrupted state.
The vulnerability requires no special privileges and can be exploited by any attacker with network connectivity to the PFCP control plane interface. For additional technical details regarding this vulnerability, see the free5GC GitHub Issue Discussion.
Detection Methods for CVE-2025-70123
Indicators of Compromise
- Unexpected UPF service restarts or crashes following PFCP message processing
- PFCP Association Setup Requests with missing or malformed mandatory Information Elements in network captures
- SMF-UPF connection disruptions without corresponding infrastructure issues
- Anomalous patterns of PFCP messages from external or unexpected source IP addresses
Detection Strategies
- Deploy network intrusion detection signatures to identify malformed PFCP messages that violate 3GPP TS 29.244 mandatory field requirements
- Monitor UPF process health and implement alerting for unexpected state transitions or service interruptions
- Implement PFCP protocol-aware deep packet inspection on network segments carrying control plane traffic
- Configure SentinelOne Singularity Platform to monitor free5GC process behavior for anomalous crashes or resource consumption patterns
Monitoring Recommendations
- Enable detailed logging for PFCP message processing on UPF instances to capture malformed request attempts
- Monitor UDP port 8805 traffic patterns for unusual volumes or sources of PFCP messages
- Implement service availability monitoring for UPF-SMF connectivity with rapid alerting thresholds
- Deploy network flow analysis to detect potential reconnaissance or exploitation attempts targeting PFCP interfaces
How to Mitigate CVE-2025-70123
Immediate Actions Required
- Restrict network access to PFCP interfaces (UDP port 8805) using firewall rules to allow only authorized SMF and other legitimate control plane sources
- Implement network segmentation to isolate 5G core control plane components from untrusted network segments
- Monitor free5GC project releases and apply security updates when patches become available
- Review and audit existing PFCP interface access controls and network topology
Patch Information
At the time of publication, users should monitor the free5GC GitHub repository for updates regarding a security fix. Organizations running free5GC 4.0.1 should subscribe to project notifications and apply patches promptly when released. Until a patch is available, implement the workarounds and network-level controls described below.
Workarounds
- Deploy a PFCP-aware network firewall or proxy that validates messages against 3GPP TS 29.244 specifications before forwarding to the UPF
- Implement strict IP allowlisting on PFCP interfaces to accept connections only from known, authorized SMF instances
- Consider deploying UPF instances behind a protocol validation gateway that filters malformed PFCP messages
- Implement rate limiting on PFCP message processing to reduce the impact of potential exploitation attempts
# Example iptables configuration to restrict PFCP interface access
# Replace SMF_IP with your actual SMF IP address(es)
iptables -A INPUT -p udp --dport 8805 -s SMF_IP -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
