cnvd - cnvd-2025-18577

CNVD-2025-18577

Vulnerability from cnvd - Published: 2025-08-15

Title

Open5GS存在未明漏洞（CNVD-2025-18577）

Description

Open5GS是Open5GS开源的一个5G Core和Epc的C语言开源实现，即Lte/Nr网络的核心网络。 Open5GS存在安全漏洞，攻击者可利用该漏洞导致可达断言。

Severity

中

Patch Name

Open5GS存在未明漏洞（CNVD-2025-18577）的补丁

Patch Description

Open5GS是Open5GS开源的一个5G Core和Epc的C语言开源实现，即Lte/Nr网络的核心网络。 Open5GS存在安全漏洞，攻击者可利用该漏洞导致可达断言。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/open5gs/open5gs/releases

Reference

https://github.com/open5gs/open5gs/commit/2daa44adab762c47a8cef69cc984946973a845b3

Impacted products

Name
Open5GS Open5GS <=2.7.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-5501",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-5501"
    }
  },
  "description": "Open5GS\u662fOpen5GS\u5f00\u6e90\u7684\u4e00\u4e2a5G Core\u548cEpc\u7684C\u8bed\u8a00\u5f00\u6e90\u5b9e\u73b0\uff0c\u5373Lte/Nr\u7f51\u7edc\u7684\u6838\u5fc3\u7f51\u7edc\u3002\n\nOpen5GS\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u53ef\u8fbe\u65ad\u8a00\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/open5gs/open5gs/releases",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-18577",
  "openTime": "2025-08-15",
  "patchDescription": "Open5GS\u662fOpen5GS\u5f00\u6e90\u7684\u4e00\u4e2a5G Core\u548cEpc\u7684C\u8bed\u8a00\u5f00\u6e90\u5b9e\u73b0\uff0c\u5373Lte/Nr\u7f51\u7edc\u7684\u6838\u5fc3\u7f51\u7edc\u3002\r\n\r\nOpen5GS\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u53ef\u8fbe\u65ad\u8a00\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Open5GS\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2025-18577\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Open5GS Open5GS \u003c=2.7.3"
  },
  "referenceLink": "https://github.com/open5gs/open5gs/commit/2daa44adab762c47a8cef69cc984946973a845b3",
  "serverity": "\u4e2d",
  "submitTime": "2025-06-11",
  "title": "Open5GS\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2025-18577\uff09"
}

CVE-2025-5501 (GCVE-0-2025-5501)

Vulnerability from cvelistv5 – Published: 2025-06-03 14:00 – Updated: 2025-06-03 14:16

Summary

A vulnerability classified as problematic was found in Open5GS up to 2.7.3. Affected by this vulnerability is the function ngap_handle_path_switch_request_transfer of the file src/smf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to reachable assertion. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named 2daa44adab762c47a8cef69cc984946973a845b3. It is recommended to apply a patch to fix this issue.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-617 - Reachable Assertion

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.310915	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.310915	signaturepermissions-required
	https://vuldb.com/?submit.582265	third-party-advisory
	https://github.com/open5gs/open5gs/issues/3909	issue-tracking
	https://github.com/open5gs/open5gs/issues/3909#is…	issue-tracking
	https://github.com/user-attachments/files/2036218…	exploit
	https://github.com/open5gs/open5gs/commit/2daa44a…	patch

Impacted products

	Vendor	Product	Version
	n/a	Open5GS	Affected: 2.7.0 Affected: 2.7.1 Affected: 2.7.2 Affected: 2.7.3

Credits

SQ0409 (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5501",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-03T14:15:59.128747Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-03T14:16:02.935Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open5gs/open5gs/issues/3909"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "NGAP PathSwitchRequest Message Handler"
          ],
          "product": "Open5GS",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "2.7.0"
            },
            {
              "status": "affected",
              "version": "2.7.1"
            },
            {
              "status": "affected",
              "version": "2.7.2"
            },
            {
              "status": "affected",
              "version": "2.7.3"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "SQ0409 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as problematic was found in Open5GS up to 2.7.3. Affected by this vulnerability is the function ngap_handle_path_switch_request_transfer of the file src/smf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to reachable assertion. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named 2daa44adab762c47a8cef69cc984946973a845b3. It is recommended to apply a patch to fix this issue."
        },
        {
          "lang": "de",
          "value": "In Open5GS bis 2.7.3 wurde eine problematische Schwachstelle entdeckt. Es geht um die Funktion ngap_handle_path_switch_request_transfer der Datei src/smf/ngap-handler.c der Komponente NGAP PathSwitchRequest Message Handler. Dank der Manipulation mit unbekannten Daten kann eine reachable assertion-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Der Patch wird als 2daa44adab762c47a8cef69cc984946973a845b3 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-617",
              "description": "Reachable Assertion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-03T14:00:21.279Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-310915 | Open5GS NGAP PathSwitchRequest Message ngap-handler.c ngap_handle_path_switch_request_transfer assertion",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.310915"
        },
        {
          "name": "VDB-310915 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.310915"
        },
        {
          "name": "Submit #582265 | Open5GS \u003c=2.7.3 Reachable Assertion",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.582265"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/open5gs/open5gs/issues/3909"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/open5gs/open5gs/issues/3909#issuecomment-2926682623"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/user-attachments/files/20362183/AMF.crash.due.to.pathswitchrequest.zip"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/open5gs/open5gs/commit/2daa44adab762c47a8cef69cc984946973a845b3"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-03T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-06-03T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-06-03T07:25:58.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Open5GS NGAP PathSwitchRequest Message ngap-handler.c ngap_handle_path_switch_request_transfer assertion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-5501",
    "datePublished": "2025-06-03T14:00:21.279Z",
    "dateReserved": "2025-06-03T05:20:34.328Z",
    "dateUpdated": "2025-06-03T14:16:02.935Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-18577

CVE-2025-5501 (GCVE-0-2025-5501)

Tags

Sightings

Nomenclature