CVE-2025-66719
CVE-2025-66719
9.1
CriticalPublished:
Last updated:
Source:cve@mitre.org
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- None
Description
An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access token with any arbitrary scope.
Comprehensive Technical Analysis of CVE-2025-66719
CVE ID: CVE-2025-66719 CVSS Score: 9.1 (Critical) Affected Software: Free5GC NRF (Network Repository Function) v1.4.0 Vulnerability Type: Improper Access Control (Authorization Bypass)
1. Vulnerability Assessment & Severity Evaluation
Technical Overview
CVE-2025-66719 is a critical authorization bypass vulnerability in the Free5GC NRF (Network Repository Function), a core component of the 5G Core Network (5GC). The flaw resides in the access-token generation logic within the AccessTokenScopeCheck() function (internal/sbi/processor/access_token.go), where scope validation is entirely bypassed when an attacker supplies a crafted targetNF (Network Function) value.
CVSS Breakdown (v3.1)
| Metric | Score | Justification |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over the network. |
| Attack Complexity (AC) | Low (L) | No special conditions required; straightforward exploitation. |
| Privileges Required (PR) | None (N) | No prior authentication needed. |
| User Interaction (UI) | None (N) | No user interaction required. |
| Scope (S) | Changed (C) | Impacts other components (e.g., NFs relying on NRF-issued tokens). |
| Confidentiality (C) | High (H) | Attacker gains unauthorized access to sensitive NF services. |
| Integrity (I) | High (H) | Attacker can manipulate NF communications. |
| Availability (A) | High (H) | Potential for service disruption via unauthorized NF interactions. |
| Base Score | 9.1 (Critical) | High impact on confidentiality, integrity, and availability. |
Severity Justification
- Critical Impact: The vulnerability allows unauthenticated attackers to bypass scope validation and obtain access tokens with arbitrary privileges, enabling unauthorized access to 5G core network functions.
- Exploitation Simplicity: The attack requires no prior authentication and can be executed remotely with minimal effort.
- Scope of Impact: Affects all NFs (Network Functions) relying on the NRF for OAuth2-based access control, potentially leading to lateral movement, data exfiltration, or service disruption in 5G networks.
2. Potential Attack Vectors & Exploitation Methods
Exploitation Mechanism
-
Token Request Manipulation
- The attacker sends a maliciously crafted
targetNFvalue in an OAuth2 token request to the NRF. - The
AccessTokenScopeCheck()function fails to validate the scope when thetargetNFis manipulated, allowing the attacker to bypass all authorization checks.
- The attacker sends a maliciously crafted
-
Arbitrary Scope Assignment
- The NRF blindly trusts the
targetNFparameter and issues an access token with the requested (or default) scope, even if the attacker should not have access. - The attacker can specify any NF (e.g., AMF, SMF, UDM) as the
targetNF, gaining unauthorized access to that NF’s services.
- The NRF blindly trusts the
-
Privilege Escalation & Lateral Movement
- With a forged access token, the attacker can:
- Impersonate legitimate NFs (e.g., AMF, SMF).
- Access sensitive subscriber data (e.g., IMSI, location, session keys).
- Manipulate network functions (e.g., session hijacking, DoS).
- Exfiltrate data via compromised NFs.
- With a forged access token, the attacker can:
Exploitation Steps (Proof of Concept)
-
Intercept or Craft a Token Request
- The attacker sends an HTTP POST request to the NRF’s
/oauth2/tokenendpoint with:POST /oauth2/token HTTP/1.1 Host: <NRF_IP>:8000 Content-Type: application/x-www-form-urlencoded grant_type=client_credentials& client_id=<ATTACKER_CONTROLLED_NF>& client_secret=<ANY_VALUE>& targetNF=<MALICIOUS_NF_TYPE>& scope=<ARBITRARY_SCOPE> - Key Manipulation: The
targetNFis set to a legitimate NF type (e.g., "AMF"), but thescopeis arbitrarily defined (e.g.,nrf:access,udm:subscriber-data).
- The attacker sends an HTTP POST request to the NRF’s
-
NRF Issues a Forged Token
- The NRF fails to validate the scope and returns a JWT access token with the requested privileges.
- Example response:
{ "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600, "scope": "nrf:access amf:registration" }
-
Use the Token to Access Protected NFs
- The attacker uses the forged token to interact with other NFs (e.g., AMF, SMF) as if they were a legitimate NF.
- Example API call to AMF:
GET /namf-comm/v1/ue-contexts HTTP/1.1 Host: <AMF_IP>:8000 Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Real-World Attack Scenarios
| Scenario | Impact |
|---|---|
| Subscriber Data Theft | Attacker accesses UDM (Unified Data Management) to exfiltrate IMSI, MSISDN, or authentication vectors. |
| Session Hijacking | Attacker manipulates SMF (Session Management Function) to redirect user traffic or inject malicious payloads. |
| Network DoS | Attacker floods AMF (Access and Mobility Management Function) with fake registration requests, causing service disruption. |
| Lateral Movement | Attacker uses a forged token to pivot into other NFs, escalating privileges within the 5G core. |
3. Affected Systems & Software Versions
Vulnerable Software
- Free5GC NRF (Network Repository Function) v1.4.0
- The vulnerability exists in the access token generation logic (
internal/sbi/processor/access_token.go). - Earlier versions (≤1.3.x) may also be affected if they share the same flawed implementation.
- The vulnerability exists in the access token generation logic (
Affected Deployments
- 5G Core Networks using Free5GC (common in testbeds, research, and private 5G deployments).
- Cloud-native 5G deployments (e.g., Kubernetes-based Free5GC).
- Telecom operators experimenting with open-source 5G cores.
Not Affected
- Commercial 5G core solutions (e.g., Ericsson, Nokia, Huawei) do not use Free5GC and are not impacted.
- Free5GC versions ≥1.4.1 (assuming the patch is applied).
4. Recommended Mitigation Strategies
Immediate Actions
-
Apply the Official Patch
- Upgrade to Free5GC NRF v1.4.1 (or later) where the vulnerability is fixed.
- Patch Reference: GitHub PR #73
-
Temporary Workarounds (If Patch Not Available)
- Network-Level Protections:
- Restrict NRF access to trusted NFs only (via firewall rules, VLAN segmentation, or mutual TLS).
- Rate-limit token requests to prevent brute-force attacks.
- Application-Level Fixes:
- Manually validate
targetNFin theAccessTokenScopeCheck()function before issuing tokens. - Enforce strict scope validation (e.g., whitelist allowed scopes per NF type).
- Manually validate
- Network-Level Protections:
-
Monitor for Exploitation Attempts
- Log and alert on unusual token requests (e.g., mismatched
targetNFandscope). - Deploy an IDS/IPS (e.g., Suricata, Snort) to detect malformed OAuth2 requests.
- Log and alert on unusual token requests (e.g., mismatched
Long-Term Recommendations
-
Implement Zero Trust for 5G Core
- Enforce mutual TLS (mTLS) between NFs to prevent token spoofing.
- Adopt OAuth2 best practices (e.g., short-lived tokens, token binding).
-
Conduct a Security Audit
- Review all Free5GC components for similar authorization flaws.
- Penetration test the 5G core for token manipulation vulnerabilities.
-
Enhance Logging & Incident Response
- Centralize logs from NRF and other NFs for correlation and anomaly detection.
- Develop an IR playbook for 5G core breaches (e.g., token revocation, NF isolation).
5. Impact on the Cybersecurity Landscape
Broader Implications
-
5G Security Risks
- Highlights critical flaws in open-source 5G core implementations, which are increasingly used in private 5G networks.
- Undermines trust in OAuth2-based authorization in telecom environments.
-
Supply Chain & Third-Party Risks
- Free5GC is used in research and testing, meaning vulnerable deployments may exist in academia, startups, and telecom labs.
- Downstream vendors integrating Free5GC may inherit this vulnerability.
-
Regulatory & Compliance Concerns
- Violates 3GPP security standards (e.g., TS 33.501), which mandate strong authentication and authorization.
- May lead to GDPR violations if subscriber data is exposed.
-
Exploitation by APTs & Cybercriminals
- State-sponsored actors (e.g., APT groups) could exploit this for espionage (e.g., tracking high-value targets).
- Cybercriminals could sell forged 5G access tokens on dark web markets.
Comparison to Similar Vulnerabilities
| CVE | Description | Similarity to CVE-2025-66719 |
|---|---|---|
| CVE-2021-44228 (Log4Shell) | RCE via JNDI injection | High impact, easy exploitation |
| CVE-2020-13942 (Apache Unomi RCE) | Unauthenticated RCE in marketing automation | Unauthenticated access leading to full compromise |
| CVE-2019-11358 (jQuery Prototype Pollution) | Client-side prototype pollution | Authorization bypass via input manipulation |
Key Takeaway: Like Log4Shell, this vulnerability is highly exploitable with severe consequences, but specific to 5G core networks.
6. Technical Details for Security Professionals
Root Cause Analysis
- Flaw Location:
internal/sbi/processor/access_token.go(Free5GC NRF) - Vulnerable Function:
AccessTokenScopeCheck() - Issue: The function skips scope validation if the
targetNFis not in a predefined list, allowing arbitrary scope assignment.
Code Snippet (Vulnerable Logic)
func AccessTokenScopeCheck(targetNF, scope string) bool {
// BUG: If targetNF is not in allowedNFs, validation is bypassed!
if _, exists := allowedNFs[targetNF]; !exists {
return true // ❌ Bypass all checks!
}
// ... (rest of scope validation logic)
return false
}
- Fix: The patch removes the bypass condition and enforces strict scope validation for all
targetNFvalues.
Exploitation Indicators (IOCs)
| Indicator | Description |
|---|---|
| HTTP Requests | POST /oauth2/token with mismatched targetNF and scope. |
| Token Anomalies | JWT tokens with unexpected scopes (e.g., amf:registration for a non-AMF NF). |
| Network Traffic | Unusual NF-to-NF communication (e.g., a "SMF" accessing UDM). |
Detection & Hunting Queries
SIEM Rules (Splunk/ELK)
index=network sourcetype=free5gc_nrf
| search uri_path="/oauth2/token" AND (targetNF="*" AND scope="*")
| stats count by client_ip, targetNF, scope
| where count > 5 AND (targetNF="AMF" AND scope!="amf:*") OR (targetNF="UDM" AND scope!="udm:*")
Zeek (Bro) Script
event http_request(c: connection, method: string, uri: string, version: string) {
if (uri == "/oauth2/token" && /targetNF=[^&]+&scope=[^&]+/.test(uri)) {
local targetNF = /targetNF=([^&]+)/.exec(uri)[1];
local scope = /scope=([^&]+)/.exec(uri)[1];
if (targetNF == "AMF" && !/^amf:/.test(scope)) {
NOTICE([$note=HTTP::SuspiciousTokenRequest,
$msg=fmt("Potential CVE-2025-66719 exploitation: targetNF=%s, scope=%s", targetNF, scope),
$conn=c]);
}
}
}
Forensic Analysis Steps
-
Examine NRF Logs
- Look for token requests with unusual
targetNF/scopecombinations. - Check for tokens issued to unexpected NFs.
- Look for token requests with unusual
-
Analyze JWT Tokens
- Decode suspicious tokens using:
jwt_tool <TOKEN> -d - Verify
scopeclaims against expected permissions.
- Decode suspicious tokens using:
-
Network Traffic Analysis
- Use Wireshark/TShark to inspect HTTP/2 or HTTP/1.1 traffic to the NRF.
- Filter for:
http.request.uri contains "/oauth2/token" && http.request.method == "POST"
Conclusion & Key Takeaways
Summary
- CVE-2025-66719 is a critical authorization bypass in Free5GC NRF, allowing unauthenticated attackers to obtain arbitrary access tokens.
- Exploitation is trivial and can lead to full 5G core compromise, including data theft, session hijacking, and DoS.
- Affected organizations must patch immediately and implement compensating controls (e.g., network segmentation, mTLS).
Recommendations for Security Teams
✅ Patch Free5GC NRF to v1.4.1+ (or apply the fix manually). ✅ Restrict NRF access to trusted NFs only. ✅ Monitor for anomalous token requests (SIEM, IDS/IPS). ✅ Conduct a 5G core security audit to identify similar flaws. ✅ Adopt Zero Trust principles for NF-to-NF communication.
Final Risk Assessment
| Factor | Assessment |
|---|---|
| Exploitability | High (Unauthenticated, remote, low complexity) |
| Impact | Critical (Full 5G core compromise possible) |
| Likelihood of Exploitation | High (Public PoC likely to emerge) |
| Mitigation Feasibility | Medium (Patch available, but compensating controls needed) |
Urgent Action Required: Organizations using Free5GC must treat this as a critical priority to prevent catastrophic 5G core breaches.
References:
References
cve@mitre.org
https://github.com/free5gc/free5gc/issues/736cve@mitre.org
https://github.com/free5gc/nrf/pull/73