Published Product Vulnerabilities

Q: ZDI-CAN-23960

CVEID ZDI-CAN-23960 CVSS Score 5.3 Medium PRODUCT AP5GC VERSION 2403.0-2 ATTACK VECTOR Adjacent PROBLEM TYPE Microsoft Azure Private 5G Core Un-Authenticated Base Station Override REFERENCES – https://www.trendmicro.com/en_us/research/24/i/vulnerabilities-in-cellular-packet-cores-part-iv-authentication.html DESCRIPTION An arbitrary NGSetupRequest sent to AP5GC, with the ID of a legitimate base station, can eject the original legitimate base station(gNB) from the network. Cellular devices served by the original base station will be forced to disconnect. A malicious base station can replace the original legitimate base station. DATE 2024-08-23

Q: CVE-2024-20685

CVEID CVE-2024-20685 CVSS Score 5.9 Medium PRODUCT AP5GC VERSION 2403.0-2 ATTACK VECTOR Network PROBLEM TYPE Azure Private 5G Core Denial of Service Vulnerability. REFERENCES – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20685 – https://www.trendmicro.com/en_us/research/24/i/vulnerabilities-in-cellular-packet-cores-part-iv-authentication.html DESCRIPTION By sending a crafted malformed UE Registration message, an attacker can cause a denial-of-service in AP5GC. All cellular devices in the network will lose connectivity. DATE 2024-04-09

Q: CVE-2023-41628

CVEID CVE-2023-41628 CVSS Score 7.5 High PRODUCT Software Community E2 VERSION G Release ATTACK VECTOR 3rd party app PROBLEM TYPE An issue in O-RAN Software Community E2 G-Release allows attackers to cause a Denial of Service (DoS) by incorrectly initiating the messaging procedure between the E2Node and E2Term components. REFERENCES – https://jira.o-ran-sc.org/browse/RIC-1002 – https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/open-ran-attack-of-the-xapps DESCRIPTION The vulnerability arises from faulty message handling, Out-of-Order messages can occur in networks due to various reasons; sometimes because a message gets lost in transit, sometimes because of sender malfunctioning, or sometimes an attacker injects such a message. If not handled properly, out-of-order messages can disrupt the receiver’s processing flow, leading to unexpected behavior. DATE 2023-09-01

Q: CVE-2023-41627

CVEID CVE-2023-41627 CVSS Score 7.5 High PRODUCT O-RAN Software Community ric-plt-lib-rmr VERSION 4.9.0 ATTACK VECTOR 3rd party app PROBLEM TYPE O-RAN Software Community ric-plt-lib-rmr v4.9.0 does not validate the source of the routing tables it receives, potentially allowing attackers to send forged routing tables to the device. REFERENCES – https://jira.o-ran-sc.org/browse/RIC-1001 – https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ran-security.html DESCRIPTION E2Term relies on the route table information sent by the Routing Manager at regular intervals to establish communication with other components within the RIC system. However, E2Term does not validate the sender of the route table information it receives. This lack of validation allows an attacker to exploit CVE-2023-41627 by sending forged route table information to E2Term. By sending this information to E2Term at a higher frequency using the Routing Manager, an attacker can deceive E2Term and disrupt its communication with other components. DATE 2023-09-01

Q: CVE-2023-40998

CVEID CVE-2023-40998 CVSS Score 7.5 High PRODUCT O-RAN Software Community ric-plt-lib-rmr VERSION 4.9.0 ATTACK VECTOR 3rd party app PROBLEM TYPE Buffer Overflow vulnerability in O-RAN Software Community ric-plt-lib-rmr v.4.9.0 allows a remote attacker to cause a denial of service via the packet size component. REFERENCES – https://jira.o-ran-sc.org/browse/RIC-989 – https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ran-security.html DESCRIPTION The CVE-2023-40998 vulnerability involves incorrect packet information that can result in a negative packet size during decoding, leading to a crash when performing the memcpy operation. DATE 2023-08-28

Q: CVE-2023-40997

CVEID CVE-2023-40997 CVSS Score 7.5 High PRODUCT O-RAN Software Community ric-plt-lib-rmr VERSION 4.9.0 ATTACK VECTOR 3rd party app PROBLEM TYPE Buffer Overflow vulnerability in O-RAN Software Community ric-plt-lib-rmr v.4.9.0 allows a remote attacker to cause a denial of service via a crafted packet. REFERENCES – https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ran-security.html – https://jira.o-ran-sc.org/browse/RIC-991 – https://ieeexplore.ieee.org/document/10433004 DESCRIPTION CVE-2023-40997 involves a sent packet that cannot be properly decoded, causing an incorrect memory address calculation and resulting in an E2Term crash. DATE 2023-08-28

Q: CVE-2022-43677

CVEID CVE-2022-43677 CVSS Score 5.5 Medium PRODUCT Free 5GC VERSION 3.2.1 ATTACK VECTOR Connected device PROBLEM TYPE In free5GC 3.2.1, a malformed NGAP message can crash the AMF and NGAP decoders via an index-out-of-range panic in aper.GetBitString. REFERENCES – https://www.trendmicro.com/en_us/research/23/j/asn1-vulnerabilities-in-5g-cores.html – https://github.com/free5gc/free5gc/issues/402 DESCRIPTION An adversary-controlled UE may be used to send a GTP-U packet to UPF/PGW with a malicious payload to evade UPF/PGW routing controls to establish communications with a core NF. If UPF/PGW does not do proper parameter checks, it may route the packet to an improper destination such as a core network function in the control plane e.g. SMF, it can cause the NF to go to an undefined state and the NF may crash. DATE 2022-10-24

Q: ZDI-CAN-18522

CVEID ZDI-CAN-18522 CVSS Score 8.3 High PRODUCT Nokia CMU VERSION N/A ATTACK VECTOR Remote, Network PROBLEM TYPE The adversary establishes a two-way communication with the victim UE. Once the session is established, the adversary can launch further attacks such as inserting malware, execute Remote Procedure Call (RPC) etc. UEs in private subnet become exposed to attacks from outside. REFERENCES – https://documents.trendmicro.com/assets/white_papers/Looking-In-How-a-Packet-Reflection-Vulnerability-Could-Allow-Attackers-to-Infiltrate-Internal-5G-Networks.pdf DESCRIPTION We were able to exploit the GTP-U to attack connected devices from external networks, taking advantage of a packet reflection vulnerability in 5G core UPFs. This security gap is borne from the lack of IP cross-checking between the control and data planes in packet cores. DATE 2022-08-08

Q: ZDI-CAN-14043

CVEID ZDI-CAN-14043 CVSS Score PRODUCT Open5GS VERSION 2.2.9 ATTACK VECTOR Connected device, Network PROBLEM TYPE An adversary controlled UE may be used to send crafted NAS messages to AMF to crash or slow down the AMF. REFERENCES – https://github.com/open5gs/open5gs/commit/00c96a3f0ffd12c4330bee9a3f9596f8e4b86b6f DESCRIPTION AMF processes registration request messages from UE and it works with other NFs in the core to respond to those messages. By sending crafted NAS messages from UE, an adversary may force 5G core AMF or other Control Plane functions to go into undefined states, and might result in DoS. UEs use NAS connection (via N1 interface) to the core AMF function. A specially crafted message can be used to cause coding or parsing error which can potentially crash the AMF. Existing UEs and new UEs may not be able to get service from the 5G network. DATE 2021-06-01

Published Product Vulnerabilities

LAST UPDATED: APR 16, 2025

ZDI-CAN-23960

CVEID
ZDI-CAN-23960

CVSS Score
5.3 Medium

PRODUCT
AP5GC

VERSION
2403.0-2

ATTACK VECTOR
Adjacent

PROBLEM TYPE
Microsoft Azure Private 5G Core Un-Authenticated Base Station Override

REFERENCES
– https://www.trendmicro.com/en_us/research/24/i/vulnerabilities-in-cellular-packet-cores-part-iv-authentication.html

DESCRIPTION
An arbitrary NGSetupRequest sent to AP5GC, with the ID of a legitimate base station, can eject the original legitimate base station(gNB) from the network. Cellular devices served by the original base station will be forced to disconnect. A malicious base station can replace the original legitimate base station.

DATE
2024-08-23

CVE-2024-20685

CVEID
CVE-2024-20685

CVSS Score
5.9 Medium

PRODUCT
AP5GC

VERSION
2403.0-2

ATTACK VECTOR
Network

PROBLEM TYPE
Azure Private 5G Core Denial of Service Vulnerability.

REFERENCES
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20685
– https://www.trendmicro.com/en_us/research/24/i/vulnerabilities-in-cellular-packet-cores-part-iv-authentication.html

DESCRIPTION
By sending a crafted malformed UE Registration message, an attacker can cause a denial-of-service in AP5GC. All cellular devices in the network will lose connectivity.

DATE
2024-04-09

CVE-2023-41628

CVEID
CVE-2023-41628

CVSS Score
7.5 High

PRODUCT
Software Community E2

VERSION
G Release

ATTACK VECTOR
3rd party app

PROBLEM TYPE
An issue in O-RAN Software Community E2 G-Release allows attackers to cause a Denial of Service (DoS) by incorrectly initiating the messaging procedure between the E2Node and E2Term components.

REFERENCES
– https://jira.o-ran-sc.org/browse/RIC-1002
– https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/open-ran-attack-of-the-xapps

DESCRIPTION

The vulnerability arises from faulty message handling, Out-of-Order messages can occur in networks due to various reasons; sometimes because a message gets lost in transit, sometimes because of sender malfunctioning, or sometimes an attacker injects such a message.

If not handled properly, out-of-order messages can disrupt the receiver’s processing flow, leading to unexpected behavior.

DATE
2023-09-01

CVE-2023-41627

CVEID
CVE-2023-41627

CVSS Score
7.5 High

PRODUCT
O-RAN Software Community ric-plt-lib-rmr

VERSION
4.9.0

ATTACK VECTOR
3rd party app

PROBLEM TYPE
O-RAN Software Community ric-plt-lib-rmr v4.9.0 does not validate the source of the routing tables it receives, potentially allowing attackers to send forged routing tables to the device.

REFERENCES
– https://jira.o-ran-sc.org/browse/RIC-1001
– https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ran-security.html

DESCRIPTION
E2Term relies on the route table information sent by the Routing Manager at regular intervals to establish communication with other components within the RIC system. However, E2Term does not validate the sender of the route table information it receives. This lack of validation allows an attacker to exploit CVE-2023-41627 by sending forged route table information to E2Term. By sending this information to E2Term at a higher frequency using the Routing Manager, an attacker can deceive E2Term and disrupt its communication with other components.

DATE
2023-09-01

CVE-2023-40998

CVEID
CVE-2023-40998

CVSS Score
7.5 High

PRODUCT
O-RAN Software Community ric-plt-lib-rmr

VERSION
4.9.0

ATTACK VECTOR
3rd party app

PROBLEM TYPE
Buffer Overflow vulnerability in O-RAN Software Community ric-plt-lib-rmr v.4.9.0 allows a remote attacker to cause a denial of service via the packet size component.

REFERENCES
– https://jira.o-ran-sc.org/browse/RIC-989
– https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ran-security.html

DESCRIPTION
The CVE-2023-40998 vulnerability involves incorrect packet information that can result in a negative packet size during decoding, leading to a crash when performing the memcpy operation.

DATE
2023-08-28

CVE-2023-40997

CVEID
CVE-2023-40997

CVSS Score
7.5 High

PRODUCT
O-RAN Software Community ric-plt-lib-rmr

VERSION
4.9.0

ATTACK VECTOR
3rd party app

PROBLEM TYPE
Buffer Overflow vulnerability in O-RAN Software Community ric-plt-lib-rmr v.4.9.0 allows a remote attacker to cause a denial of service via a crafted packet.

REFERENCES
– https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ran-security.html
– https://jira.o-ran-sc.org/browse/RIC-991
– https://ieeexplore.ieee.org/document/10433004

DESCRIPTION
CVE-2023-40997 involves a sent packet that cannot be properly decoded, causing an incorrect memory address calculation and resulting in an E2Term crash.

DATE
2023-08-28

CVE-2022-43677

CVEID
CVE-2022-43677

CVSS Score
5.5 Medium

PRODUCT
Free 5GC

VERSION
3.2.1

ATTACK VECTOR
Connected device

PROBLEM TYPE
In free5GC 3.2.1, a malformed NGAP message can crash the AMF and NGAP decoders via an index-out-of-range panic in aper.GetBitString.

REFERENCES
– https://www.trendmicro.com/en_us/research/23/j/asn1-vulnerabilities-in-5g-cores.html
– https://github.com/free5gc/free5gc/issues/402

DESCRIPTION
An adversary-controlled UE may be used to send a GTP-U packet to UPF/PGW with a malicious payload to evade UPF/PGW routing controls to establish communications with a core NF. If UPF/PGW does not do proper parameter checks, it may route the packet to an improper destination such as a core network function in the control plane e.g. SMF, it can cause the NF to go to an undefined state and the NF may crash.

DATE
2022-10-24

ZDI-CAN-18522

CVEID
ZDI-CAN-18522

CVSS Score
8.3 High

PRODUCT
Nokia CMU

VERSION
N/A

ATTACK VECTOR
Remote, Network

PROBLEM TYPE
The adversary establishes a two-way communication with the victim UE. Once the session is established, the adversary can launch further attacks such as inserting malware, execute Remote Procedure Call (RPC) etc. UEs in private subnet become exposed to attacks from outside.

REFERENCES
– https://documents.trendmicro.com/assets/white_papers/Looking-In-How-a-Packet-Reflection-Vulnerability-Could-Allow-Attackers-to-Infiltrate-Internal-5G-Networks.pdf

DESCRIPTION
We were able to exploit the GTP-U to attack connected devices from external networks, taking advantage of a packet reflection vulnerability in 5G core UPFs. This security gap is borne from the lack of IP cross-checking between the control and data planes in packet cores.

DATE
2022-08-08

CVE-2021-45462

CVEID
CVE-2021-45462

CVSS Score
7.5 High

PRODUCT
Open5GS

VERSION
2.4.0

ATTACK VECTOR
Connected device, Network

PROBLEM TYPE
In Open5GS 2.4.0, a crafted packet from UE can crash SGW-U/UPF.

REFERENCES
– https://github.com/open5gs/open5gs/commit/a0f2535cb5a29bba6dbbccdb90c74ccd770cc700
– https://www.trendmicro.com/en_us/research/23/i/attacks-on-5g-infrastructure-from-users-devices.html

DESCRIPTION
Two concepts that can exploit the GTP-U using CVE-2021-45462. In Open5GS, a C-language open-source implementation for 5G Core and Evolved Packet Core (EPC), sending a zero-length, type=255 GTP-U packet from the user device resulted in a denial of service (DoS) of the UPF.

This is CVE-2021-45462, a security gap in the packet core that can crash the UPF (in 5G) or Serving Gateway User Plane Function (SGW-U in 4G/LTE) via an anomalous GTP-U packet crafted from the UE and by sending this anomalous GTP-U packet in the GTP-U. Given that the exploit affects a critical component of the infrastructure and cannot be resolved as easily, the vulnerability has received a Medium to High severity rating.

DATE
2021-12-23

ZDI-CAN-14043

CVEID
ZDI-CAN-14043

CVSS Score

PRODUCT
Open5GS

VERSION
2.2.9

ATTACK VECTOR
Connected device, Network

PROBLEM TYPE
An adversary controlled UE may be used to send crafted NAS messages to AMF to crash or slow down the AMF.

REFERENCES
– https://github.com/open5gs/open5gs/commit/00c96a3f0ffd12c4330bee9a3f9596f8e4b86b6f

DESCRIPTION
AMF processes registration request messages from UE and it works with other NFs in the core to respond to those messages. By sending crafted NAS messages from UE, an adversary may force 5G core AMF or other Control Plane functions to go into undefined states, and might result in DoS. UEs use NAS connection (via N1 interface) to the core AMF function. A specially crafted message can be used to cause coding or parsing error which can potentially crash the AMF. Existing UEs and new UEs may not be able to get service from the 5G network.

DATE
2021-06-01