Skip to main content
CVE Vulnerability Database

CVE-2025-8805: Open5GS SMF Component DoS Vulnerability

CVE-2025-8805 is a denial of service vulnerability in Open5GS SMF component affecting versions up to 2.7.5. Attackers can remotely exploit this flaw to disrupt service. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-8805 Overview

A denial of service vulnerability has been identified in Open5GS, an open-source implementation of 5G Core and EPC (Evolved Packet Core). The vulnerability affects the Session Management Function (SMF) component, specifically within the smf_gsm_state_wait_pfcp_deletion function located in src/smf/gsm-sm.c. This flaw allows remote attackers to cause service disruption through improper resource release, classified under CWE-404 (Improper Resource Shutdown or Release).

Critical Impact

Remote attackers can exploit this vulnerability to crash the SMF component, disrupting 5G network session management and potentially causing widespread service outages for connected devices.

Affected Products

  • Open5GS versions up to 2.7.5
  • Open5GS SMF (Session Management Function) component
  • 5G Core deployments utilizing vulnerable Open5GS versions

Discovery Timeline

  • August 10, 2025 - CVE-2025-8805 published to NVD
  • August 15, 2025 - Last updated in NVD database

Technical Details for CVE-2025-8805

Vulnerability Analysis

This vulnerability stems from improper handling of NAMF_COMM API messages within the SMF's GSM state machine. The affected function smf_gsm_state_wait_pfcp_deletion fails to properly validate and handle certain SBI (Service Based Interface) messages, leading to an assertion failure that crashes the SMF process. The exploit has been publicly disclosed, and proof-of-concept materials are available, increasing the risk of exploitation in production environments.

The vulnerability is network-accessible without requiring authentication or user interaction, making it particularly dangerous for exposed 5G Core deployments. When exploited, the SMF component crashes, disrupting PDU (Protocol Data Unit) session management for all connected user equipment.

Root Cause

The root cause is classified as CWE-404: Improper Resource Shutdown or Release. The SMF component lacks proper validation for incoming SBI messages from the NAMF_COMM service, specifically when handling UE context-related communications. When invalid or unexpected API messages arrive during the PFCP deletion state, the code path reaches an assertion (ogs_assert_if_reached()) that terminates the process rather than gracefully handling the error condition.

Attack Vector

The attack can be launched remotely over the network by sending specially crafted SBI messages to the SMF component. An attacker with network access to the 5G Core's service-based interface can trigger the vulnerability by sending malformed NAMF_COMM API requests targeting UE contexts during specific session states. This causes the SMF to enter an unhandled code path, triggering a fatal assertion and crashing the service.

c
// Security patch from commit c58b8f081986aaf2a312d73a0a17985518b47fe6
// Added proper handling for NAMF_COMM API messages

                     stream, OGS_SBI_HTTP_STATUS_BAD_REQUEST,
                     n1smbuf, OpenAPI_n2_sm_info_type_NULL, NULL);
             break;
+        CASE(OGS_SBI_SERVICE_NAME_NAMF_COMM)
+            SWITCH(sbi_message->h.resource.component[0])
+            CASE(OGS_SBI_RESOURCE_NAME_UE_CONTEXTS)
+                ogs_error("[%s:%d] Ignore SBI message "
+                        "state [%d] res_status [%d]",
+                    smf_ue->supi, sess->psi,
+                    e->h.sbi.state, sbi_message->res_status);
+                break;
+
+            DEFAULT
+                ogs_error("[%s:%d] Invalid resource name [%s]",
+                        smf_ue->supi, sess->psi,
+                        sbi_message->h.resource.component[0]);
+                ogs_assert_if_reached();
+            END
+            break;
+
         DEFAULT
             ogs_error("[%s:%d] Invalid API name [%s]",
                     smf_ue->supi, sess->psi, sbi_message->h.service.name);

Source: GitHub Commit Update

Detection Methods for CVE-2025-8805

Indicators of Compromise

  • Unexpected SMF process terminations or crashes in system logs
  • Core dumps containing references to smf_gsm_state_wait_pfcp_deletion or assertion failures
  • Unusual NAMF_COMM API traffic patterns targeting the SMF component
  • Repeated service restarts of the Open5GS SMF daemon

Detection Strategies

  • Monitor SMF process stability and implement alerting for unexpected terminations
  • Analyze SBI interface traffic for malformed or suspicious NAMF_COMM requests
  • Review Open5GS logs for error messages containing "Invalid API name" or "Invalid resource name"
  • Implement network intrusion detection rules for anomalous 5G Core SBI traffic patterns

Monitoring Recommendations

  • Enable verbose logging for the SMF component to capture detailed SBI message information
  • Deploy process monitoring to detect and alert on SMF crashes with automatic restart capabilities
  • Implement network flow analysis on the SBI interface to baseline normal traffic patterns
  • Configure SIEM correlation rules to detect repeated SMF failures indicative of active exploitation

How to Mitigate CVE-2025-8805

Immediate Actions Required

  • Upgrade Open5GS to version 2.7.6 or later immediately
  • Review network access controls to restrict SBI interface exposure
  • Implement rate limiting on the SMF's SBI endpoints to slow potential exploitation attempts
  • Enable automatic service restart for the SMF component to minimize downtime during attacks

Patch Information

The vulnerability has been addressed in Open5GS version 2.7.6. The security fix is identified by commit hash c58b8f081986aaf2a312d73a0a17985518b47fe6. The patch adds proper handling for NAMF_COMM API messages by implementing a dedicated case handler that logs the invalid message and continues operation rather than crashing. Organizations should upgrade to version 2.7.6 or apply the patch from the official commit. The release notes for v2.7.6 contain additional information about the fix.

Workarounds

  • Implement network segmentation to isolate the 5G Core SBI interface from untrusted networks
  • Deploy a reverse proxy or API gateway in front of the SMF to filter and validate incoming SBI messages
  • Configure firewall rules to restrict access to the SMF's SBI endpoints to only authorized network functions
  • Monitor the GitHub issue discussion for additional mitigation guidance from the Open5GS community
bash
# Configuration example - Network isolation for Open5GS SMF
# Restrict SBI interface access using iptables

# Allow SBI traffic only from trusted 5G Core network functions
iptables -A INPUT -p tcp --dport 7777 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP

# Enable automatic restart for SMF service
systemctl enable open5gs-smfd
systemctl edit open5gs-smfd --force
# Add: [Service]
# Restart=always
# RestartSec=5

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.