CVE-2025-8799 Overview
A denial of service vulnerability has been identified in Open5GS versions up to 2.7.5, affecting the Access and Mobility Management Function (AMF) component. The vulnerability exists in the amf_npcf_am_policy_control_build_create and amf_nsmf_pdusession_build_create_sm_context functions within the src/amf/npcf-build.c file. An attacker can exploit this flaw remotely to crash the AMF service, potentially disrupting 5G core network operations and affecting connected subscribers.
Critical Impact
Remote attackers can cause denial of service to 5G AMF components, potentially disrupting mobile network connectivity for all users relying on the affected Open5GS deployment.
Affected Products
- Open5GS versions up to and including 2.7.5
- 5G Core Network deployments using vulnerable Open5GS AMF component
- Telecommunications infrastructure utilizing Open5GS for 5G service delivery
Discovery Timeline
- August 10, 2025 - CVE-2025-8799 published to NVD
- August 15, 2025 - Last updated in NVD database
Technical Details for CVE-2025-8799
Vulnerability Analysis
This vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release), indicating a flaw in how the AMF component handles resource cleanup during certain operations. The issue arises when late SBI (Service Based Interface) client events occur after the RAN UE (Radio Access Network User Equipment) context has already been released.
The vulnerable code path involves assertions that attempt to validate the existence of a RAN UE context using ran_ue_find_by_id(amf_ue->ran_ue_id). When SBI client responses arrive after the RAN UE has disconnected or been cleaned up, these assertions fail catastrophically, causing the AMF process to crash.
The exploit has been publicly disclosed and can be triggered remotely over the network without requiring authentication or user interaction. This makes the vulnerability particularly dangerous in production 5G core network environments where continuous availability is critical.
Root Cause
The root cause lies in the improper handling of asynchronous SBI client events within the AMF component. The code assumes that when building NF consumer requests (for NPCF AM Policy Control and NSMF PDU Session management), the associated RAN UE context will always be valid. However, in race condition scenarios where the UE disconnects while SBI transactions are pending, the RAN UE context may no longer exist when the response arrives, triggering assertion failures.
The problematic assertions in both src/amf/npcf-build.c and src/amf/nsmf-build.c did not account for the asynchronous nature of SBI communications and the possibility of UE context cleanup occurring mid-transaction.
Attack Vector
The vulnerability is exploitable remotely over the network. An attacker with network access to the 5G core infrastructure can craft specific sequences of signaling messages that trigger the race condition between RAN UE disconnection and pending SBI transactions.
The attack does not require authentication or special privileges. The exploitation flow involves:
- Establishing a connection to the Open5GS AMF
- Initiating procedures that trigger SBI client transactions (such as PDU session establishment or AM policy control)
- Timing a disconnect or triggering UE release while SBI requests are in flight
- The AMF crashes when it receives the SBI response and fails the assertion check
// Vulnerable code pattern (pre-patch)
// src/amf/npcf-build.c
ogs_assert(amf_ue);
ogs_assert(amf_ue->supi);
ogs_assert(ran_ue_find_by_id(amf_ue->ran_ue_id)); // Crashes if RAN UE no longer exists
// src/amf/nsmf-build.c
amf_ue = amf_ue_find_by_id(sess->amf_ue_id);
ogs_assert(amf_ue);
ogs_assert(amf_ue->nas.access_type);
ogs_assert(ran_ue_find_by_id(amf_ue->ran_ue_id)); // Crashes if RAN UE no longer exists
Source: GitHub Open5GS Commit Change
Detection Methods for CVE-2025-8799
Indicators of Compromise
- Unexpected AMF process crashes or restarts in Open5GS deployment logs
- Core dumps or assertion failure messages referencing ran_ue_find_by_id function
- Unusual patterns of UE disconnections followed by immediate service disruption
- Increased SBI transaction timeouts or failures in 5G core network monitoring
Detection Strategies
- Monitor Open5GS AMF process stability and implement alerting for unexpected restarts
- Analyze system logs for assertion failures in npcf-build.c or nsmf-build.c files
- Implement network traffic analysis to detect abnormal UE signaling patterns targeting the AMF
- Deploy intrusion detection rules to identify potential DoS attack patterns against 5G core components
- Review core dumps for crash signatures matching the ran_ue_find_by_id assertion failure
Monitoring Recommendations
- Configure process monitoring for Open5GS AMF with automatic restart and alerting
- Implement real-time log aggregation and analysis for 5G core network components
- Monitor network interface traffic patterns for anomalies targeting AMF service ports
- Track SBI transaction success/failure rates as an early warning indicator
How to Mitigate CVE-2025-8799
Immediate Actions Required
- Upgrade Open5GS to version 2.7.6 or later immediately
- If immediate upgrade is not possible, implement network access controls to restrict AMF exposure
- Enable enhanced logging and monitoring on affected AMF instances
- Prepare incident response procedures for potential DoS attacks
- Review and restrict network access to 5G core infrastructure components
Patch Information
The vulnerability has been addressed in Open5GS version 2.7.6. The security fix is identified by commit hash cf63dd63197bf61a4b041aa364ba6a6199ab15e4. The patch removes the problematic assertions that cause crashes when RAN UE contexts are not found during late SBI client events.
The fix modifies both src/amf/npcf-build.c and src/amf/nsmf-build.c to gracefully handle scenarios where the RAN UE context no longer exists, preventing assertion failures and subsequent AMF crashes.
// Security patch - Removed vulnerable assertions
// src/amf/npcf-build.c (patched)
ogs_assert(amf_ue);
ogs_assert(amf_ue->supi);
// Assertion removed: ogs_assert(ran_ue_find_by_id(amf_ue->ran_ue_id));
// src/amf/nsmf-build.c (patched)
amf_ue = amf_ue_find_by_id(sess->amf_ue_id);
ogs_assert(amf_ue);
ogs_assert(amf_ue->nas.access_type);
// Assertion removed: ogs_assert(ran_ue_find_by_id(amf_ue->ran_ue_id));
Source: GitHub Open5GS Commit Change
Workarounds
- Implement network segmentation to limit exposure of AMF interfaces to trusted sources only
- Deploy rate limiting on network interfaces serving the AMF to reduce DoS impact
- Configure process supervision with automatic restart capabilities to minimize service downtime
- Implement redundant AMF deployments with load balancing to maintain availability during attacks
# Configuration example - Network access restriction for AMF
# Restrict access to AMF SBI interface (example using iptables)
iptables -A INPUT -p tcp --dport 7777 -s 10.5.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
# Enable systemd automatic restart for Open5GS AMF
systemctl edit open5gs-amfd --force
# Add: [Service]
# Restart=always
# RestartSec=5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
