Executive Summary

CVE-2025-70121 is an array index out of bounds vulnerability in the Access and Mobility Management Function (AMF) component of Free5GC version 4.0.1. It occurs when the AMF processes a malformed 5GS Mobile Identity field within a NAS Registration Request message. Specifically, the vulnerability is in the GetSUCI method, which tries to access the sixth element (index 5) of an array that only contains five elements, causing a runtime panic and crashing the AMF.

An unauthenticated remote attacker can exploit this by sending a specially crafted InitialUEMessage over an SCTP connection to the AMF NGAP interface, triggering the out-of-bounds access and causing the AMF to crash.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability results in a denial of service (DoS) condition for the entire 5G core network served by the affected AMF. The AMF crashes due to a runtime panic, disrupting network services and requiring manual intervention to restart the AMF service.

Because the attack requires no authentication and can be performed by any entity with basic SCTP/NGAP knowledge, it poses a significant risk of service disruption.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for crashes or runtime panics in the AMF service logs, specifically looking for error messages indicating an "index out of range [5] with length 5" originating from the GetSUCI method.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network, you can monitor SCTP connections to the AMF NGAP interface (default port 38412) for unusual or malformed InitialUEMessage NAS Registration Request messages.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network packet capture tools such as tcpdump or tshark to filter SCTP traffic on port 38412 and analyze NAS messages for malformed 5GS Mobile Identity fields.'}, {'type': 'list_item', 'content': 'tcpdump -i <interface> port 38412 and sctp'}, {'type': 'list_item', 'content': 'tshark -i <interface> -Y "sctp.port == 38412" -V'}, {'type': 'paragraph', 'content': 'Additionally, reviewing AMF service logs for panic or crash messages can help confirm if the vulnerability has been triggered.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the AMF NGAP interface (default port 38412) to trusted and authenticated network entities only, to prevent unauthenticated attackers from sending malicious InitialUEMessage requests.

Implement network-level filtering or firewall rules to block or limit SCTP traffic to the AMF from untrusted sources.

Monitor the AMF service for crashes and be prepared to manually restart the service if a denial of service occurs.

Apply patches or updates from the Free5GC project that address this vulnerability by adding proper bounds checking and input validation in the GetSUCI method.

Useful 0 Not Useful 0