CVE-2025-8805 Overview
A denial of service vulnerability has been identified in Open5GS, an open-source implementation of 5G Core and EPC (Evolved Packet Core). The vulnerability affects the Session Management Function (SMF) component, specifically within the smf_gsm_state_wait_pfcp_deletion function located in src/smf/gsm-sm.c. This flaw allows remote attackers to cause service disruption through improper resource release, classified under CWE-404 (Improper Resource Shutdown or Release).
Critical Impact
Remote attackers can exploit this vulnerability to crash the SMF component, disrupting 5G network session management and potentially causing widespread service outages for connected devices.
Affected Products
- Open5GS versions up to 2.7.5
- Open5GS SMF (Session Management Function) component
- 5G Core deployments utilizing vulnerable Open5GS versions
Discovery Timeline
- August 10, 2025 - CVE-2025-8805 published to NVD
- August 15, 2025 - Last updated in NVD database
Technical Details for CVE-2025-8805
Vulnerability Analysis
This vulnerability stems from improper handling of NAMF_COMM API messages within the SMF's GSM state machine. The affected function smf_gsm_state_wait_pfcp_deletion fails to properly validate and handle certain SBI (Service Based Interface) messages, leading to an assertion failure that crashes the SMF process. The exploit has been publicly disclosed, and proof-of-concept materials are available, increasing the risk of exploitation in production environments.
The vulnerability is network-accessible without requiring authentication or user interaction, making it particularly dangerous for exposed 5G Core deployments. When exploited, the SMF component crashes, disrupting PDU (Protocol Data Unit) session management for all connected user equipment.
Root Cause
The root cause is classified as CWE-404: Improper Resource Shutdown or Release. The SMF component lacks proper validation for incoming SBI messages from the NAMF_COMM service, specifically when handling UE context-related communications. When invalid or unexpected API messages arrive during the PFCP deletion state, the code path reaches an assertion (ogs_assert_if_reached()) that terminates the process rather than gracefully handling the error condition.
Attack Vector
The attack can be launched remotely over the network by sending specially crafted SBI messages to the SMF component. An attacker with network access to the 5G Core's service-based interface can trigger the vulnerability by sending malformed NAMF_COMM API requests targeting UE contexts during specific session states. This causes the SMF to enter an unhandled code path, triggering a fatal assertion and crashing the service.
// Security patch from commit c58b8f081986aaf2a312d73a0a17985518b47fe6
// Added proper handling for NAMF_COMM API messages
stream, OGS_SBI_HTTP_STATUS_BAD_REQUEST,
n1smbuf, OpenAPI_n2_sm_info_type_NULL, NULL);
break;
+ CASE(OGS_SBI_SERVICE_NAME_NAMF_COMM)
+ SWITCH(sbi_message->h.resource.component[0])
+ CASE(OGS_SBI_RESOURCE_NAME_UE_CONTEXTS)
+ ogs_error("[%s:%d] Ignore SBI message "
+ "state [%d] res_status [%d]",
+ smf_ue->supi, sess->psi,
+ e->h.sbi.state, sbi_message->res_status);
+ break;
+
+ DEFAULT
+ ogs_error("[%s:%d] Invalid resource name [%s]",
+ smf_ue->supi, sess->psi,
+ sbi_message->h.resource.component[0]);
+ ogs_assert_if_reached();
+ END
+ break;
+
DEFAULT
ogs_error("[%s:%d] Invalid API name [%s]",
smf_ue->supi, sess->psi, sbi_message->h.service.name);
Source: GitHub Commit Update
Detection Methods for CVE-2025-8805
Indicators of Compromise
- Unexpected SMF process terminations or crashes in system logs
- Core dumps containing references to smf_gsm_state_wait_pfcp_deletion or assertion failures
- Unusual NAMF_COMM API traffic patterns targeting the SMF component
- Repeated service restarts of the Open5GS SMF daemon
Detection Strategies
- Monitor SMF process stability and implement alerting for unexpected terminations
- Analyze SBI interface traffic for malformed or suspicious NAMF_COMM requests
- Review Open5GS logs for error messages containing "Invalid API name" or "Invalid resource name"
- Implement network intrusion detection rules for anomalous 5G Core SBI traffic patterns
Monitoring Recommendations
- Enable verbose logging for the SMF component to capture detailed SBI message information
- Deploy process monitoring to detect and alert on SMF crashes with automatic restart capabilities
- Implement network flow analysis on the SBI interface to baseline normal traffic patterns
- Configure SIEM correlation rules to detect repeated SMF failures indicative of active exploitation
How to Mitigate CVE-2025-8805
Immediate Actions Required
- Upgrade Open5GS to version 2.7.6 or later immediately
- Review network access controls to restrict SBI interface exposure
- Implement rate limiting on the SMF's SBI endpoints to slow potential exploitation attempts
- Enable automatic service restart for the SMF component to minimize downtime during attacks
Patch Information
The vulnerability has been addressed in Open5GS version 2.7.6. The security fix is identified by commit hash c58b8f081986aaf2a312d73a0a17985518b47fe6. The patch adds proper handling for NAMF_COMM API messages by implementing a dedicated case handler that logs the invalid message and continues operation rather than crashing. Organizations should upgrade to version 2.7.6 or apply the patch from the official commit. The release notes for v2.7.6 contain additional information about the fix.
Workarounds
- Implement network segmentation to isolate the 5G Core SBI interface from untrusted networks
- Deploy a reverse proxy or API gateway in front of the SMF to filter and validate incoming SBI messages
- Configure firewall rules to restrict access to the SMF's SBI endpoints to only authorized network functions
- Monitor the GitHub issue discussion for additional mitigation guidance from the Open5GS community
# Configuration example - Network isolation for Open5GS SMF
# Restrict SBI interface access using iptables
# Allow SBI traffic only from trusted 5G Core network functions
iptables -A INPUT -p tcp --dport 7777 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
# Enable automatic restart for SMF service
systemctl enable open5gs-smfd
systemctl edit open5gs-smfd --force
# Add: [Service]
# Restart=always
# RestartSec=5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
