CVE-2025-7485
BaseFortify
Publication date: 2025-07-12
Last updated on: 2025-08-25
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7485 is a vulnerability in Open5GS versions up to 2.7.3 affecting the SCTP Partial Message Handler in the AMF component. The issue arises because Open5GS incorrectly handles fragmented SCTP messages that lack the MSG_EOR (Message End of Record) flag. Instead of properly caching and reassembling these message fragments, the system triggers fatal assertion failures when processing them, causing the AMF process to crash. This happens because Open5GS assumes any fragment missing the MSG_EOR flag is erroneous, which is not always true in normal SCTP fragmentation. The vulnerability leads to denial of service by crashing the AMF when it receives oversized or fragmented SCTP messages. [1, 4]
How can this vulnerability impact me? :
This vulnerability can cause the Open5GS AMF component to crash when it receives specially crafted or oversized fragmented SCTP messages. The crash results in a denial of service condition, making the affected service unavailable. Since the attack requires local access, an attacker with local privileges could exploit this to disrupt network services relying on Open5GS, impacting availability and potentially causing service interruptions. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or fatal assertion failures in the Open5GS AMF or MME processes, specifically related to SCTP message handling. Logs showing repeated failures in the function ogs_sctp_recvmsg with error code 0, followed by fatal errors and backtraces in ngap_recv_handler, s1ap_recv_handler, or recv_handler, indicate the presence of this issue. Network traffic analysis could focus on detecting SCTP partial or fragmented messages lacking the MSG_EOR flag that trigger these crashes. While no specific detection commands are provided, monitoring Open5GS logs for assertion failures and crashes related to SCTP message processing is recommended. [4, 1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch identified by commit cfa44575020f3fb045fd971358442053c8684d3d, which replaces fatal assertions on oversized or fragmented SCTP messages with non-fatal error logging and safe message dropping. This patch prevents the AMF or MME processes from crashing upon receiving partial SCTP messages without the MSG_EOR flag. Until the patch is applied, restricting local access to the affected Open5GS components may reduce exploitation risk, as the attack requires local access. Monitoring and restarting the affected services upon crash can also be a temporary measure. [3, 2]