The imperfect 5G core network infrastructure platform may become a potential cybersecurity vulnerability for enterprises

4 mins.

Cellular networks use UDP tunnels known as GTP-U (GPRS Tunneling Protocol – Userplane) to carry user data from base stations to the packet core. Tunneling provides support for core cellular features, such as session handovers while on the move. However, by their very nature, tunnels allow remote attackers to encapsulate attack packets and deliver them to private addresses through the internet. According to 3GPP standards, the Signaling plane in CT networks must have authentication, but the Data plane is exempt. Vendors may not implement cross-checks between the Control-Plane and Data-Plane either.

This research explores the consequences of the lack of cross-checks and demonstrates how a remote attacker can establish a two-way connection with devices in private subnets. These attacks were verified on commercial packet cores.

Navigating Cyber Risks in Private 5G Networks: Unveiling Vulnerabilities and Strengthening Security Measures

Organizations are increasingly exploring private 5G networks to facilitate digital transformation, given their advantages of low latency, high bandwidth, and capacity, making them ideal for applications like smart cities, college campuses, and smart factories. However, despite their nominal security benefits, private 5G networks can introduce new cyber risks that operators might not be familiar with.

Our latest research uncovered a vulnerability that could potentially allow attackers to breach a private network and exploit weaknesses in connected devices and the 5G core. This discovery sheds light on the cybersecurity risks posed by imperfect 5G core network infrastructure platforms, posing a challenge for enterprises. It emphasizes the importance of thoroughly assessing risks associated with private 5G networks and collaborating with third-party experts to identify and proactively mitigate previously unknown threats.

ZDI-CAN-18522 Vulnerability

This study uncovered the ZDI-CAN-18522 vulnerability targeting packet Reflection. The vulnerability could potentially allow hackers to exploit the exposed 5G core network interface, using internal terminal devices or external network resources as springboards to launch attacks on 5G enterprise private networks, putting business operations at risk.

The research has discovered a vulnerability in the User Plane Function (UPF), a key component of the 5G core network. In situations where two-way authentication is not implemented, hackers can exploit this vulnerability by using forged Tunnel Endpoint Identifier (TEID) to send malicious GTP-U traffic to the UPF. The UPF, in turn, processes the forged TEID and forwards the traffic, enabling attacks on internal terminal devices within the private network. Additionally, hackers can redirect traffic through the UPF to the Internet, establishing two-way connections with internal terminal devices, and allowing for more sophisticated attacks.

CVSS score of 8.3 with two other open source 5G Core network approved

The high severity vulnerability, ZDI-CAN-18522, with a CVSS score of 8.3, could allow a threat actor from anywhere on the internet to access a private 5G network and its devices. Additionally, the CTOne research team has verified two other open-source 5G core network architectures with vulnerabilities, highlighting the importance of prioritizing the security of the 5G private network core infrastructure.

To ensure a secure commercial 5G environment and prevent malicious activities by hackers leveraging this vulnerability, the CTOne research team recommends that enterprises actively implement appropriate network isolation measures to reduce the chances of hackers directly attacking the 5G core network configuration.

To read more about the research, please visit: A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Networks – Security News (

As 5G technology continues to mature, its openness, agility, and the overall network’s cloudification, open-source utilization, and unprotected IoT devices will bring diverse cybersecurity threats in the enterprise 5G application environment. While the 5G private network architecture is considered the most secure wireless communication standard nowaday, it has also led to a lack of integrated cybersecurity operations and security visibility across Information Technology (IT) and Communication Technology (CT) for many enterprises. Consequently, when cybersecurity risks occur, companies may find themselves ill-prepared to respond. Therefore, it is recommended that enterprises prioritize understanding the hidden information security threats within the overall 5G private network architecture to proactively mitigate risks.

CEO of CTOne, Jason Huang


As a professional 5G telecommunication networking solution vendor,  SpectrEdge and CTOne combined solution delivers rapidly deployable 5G Networking with Industry-Leading Security designed for financial, defense, and public safety markets.


Neutroon and CTOne revolutionize wireless management and cybersecurity, offering 'API First' network control, security, and edge orchestration. Neutroon's unified management spans radio, core, devices, and applications, while CTOne enhances end-to-end security. This collaboration empowers CSPs and enterprises with a scalable, intelligent platform for 5G/LTE.


With a strong focus on operational security, the combination of Pegatron`s end-to-end private 5G offerings and CTOne`s cybersecurity solution enables a more effective approach to enabling smart factories. By addressing critical operational and cybersecurity needs, the joint solution enables modern enterprises to realize the true value of next-generation wireless deployment in their smart factories.


As a certified hardware platform partner, NEXCOM’s hardware appliances have been tested and certified as compatible with CTOne's virtualized private 5G security solution. As a certified solution, global organizations are able to confidently harness the power of CTOne’s leading cybersecurity capabilities in combination with NEXCOM's extensive capabilities in Edge AI, Fixed Wireless Access (FWA), private 5G, and secure IoT connectivity.


The joint Saviah-CTOne solution leverages Saviah's cost-effective, high-performance, reliable, and interoperable industrial-grade 5GC service and CTOne's proven end-to-end security. The result: a more secure and easier to manage private mobile network environment for enterprises with the ability to leverage the major features and versatility of 5G.


Securing OT environments connected to CT networks, the integration of Inventec's Smart Factory DX solution with CTOne extends our security capabilities beyond CT into OT. With our joint solution, we offer enterprises an end-to-end service encompassing IT, OT, and CT, complete with a holistic cybersecurity strategy to support enterprises during digital transformation.


The integration of Ataya’s Harmony solution with CTOne provides enterprises with comprehensive connectivity and security visibility across 5G, Wi-Fi, and wired networks. With this joint solution for hybrid networks, enterprises gain full security visibility into Ataya’s Universal Connectivity Platform while supporting a zero-trust strategy and reducing the effort and cost associated with security management.

This website uses cookies for website functionality, traffic analytics, personalization, social media functionality and advertising. Our Cookie Notice provides more information and explains how to amend your cookie settings. Learn more