CVE-2025-8801
BaseFortify
Publication date: 2025-08-10
Last updated on: 2025-08-15
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8801 is a denial of service (DoS) vulnerability in Open5GS versions up to 2.7.5, specifically in the Access and Mobility Management Function (AMF). The issue occurs when the AMF receives delayed responses from the Network Data Management Function (nudm-sdm) after the User Equipment (UE) context has been removed and the UE is deregistered. The GPRS Mobility Management (GMM) state machine lacks proper handling for these late events, causing the function gmm_state_exception to trigger a fatal error and crash the AMF process. This vulnerability can be exploited remotely without authentication by sending delayed SBI messages, leading to a crash and loss of availability of the 5G core network function. The problem arises from missing state validation and improper resource handling in the AMF component. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can cause the AMF component of Open5GS to crash unexpectedly, resulting in a denial of service. Since the AMF is a critical part of the 5G core network responsible for managing mobility and access, its crash leads to loss of availability of 5G network functions. This disruption can affect network stability and reliability, potentially causing service outages for users relying on the affected system. The attack can be performed remotely without authentication, making it easier for attackers to exploit and cause repeated crashes until manual recovery is performed. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Open5GS AMF logs for crash events related to the function gmm_state_exception, especially fatal assertion failures triggered by delayed smf-select-data responses from the nudm-sdm service. Look for log entries indicating unhandled state exceptions or fatal errors with messages such as "should not be reached." Additionally, monitoring for repeated AMF process crashes or restarts can indicate exploitation attempts. Since the vulnerability involves delayed SBI responses after UE context removal, network traffic analysis tools could be used to detect unusual or delayed SBI messages from nudm-sdm. Specific commands depend on your environment, but for example, checking system logs with commands like `journalctl -u open5gs-amf` or `docker logs <open5gs-amf-container>` can help identify crash logs. Network packet capture tools like `tcpdump` or `wireshark` can be used to filter for SBI traffic to nudm-sdm endpoints to detect suspicious delayed responses. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Open5GS to version 2.7.6 or later, which includes the patch that properly handles delayed SBI responses in the AMF component, preventing crashes. If upgrading is not immediately possible, applying the patch identified by commit f47f2bd4f7274295c5fbb19e2f806753d183d09a can mitigate the issue. Additionally, monitoring and limiting the rate of UE attach/detach operations and controlling memory constraints on the host or container running Open5GS may reduce the likelihood of triggering the vulnerability. However, the definitive fix is the software update. [1, 4]