CVE-2024-51179 is a vulnerability identified in Open 5GS version 2.7.1, an open-source implementation of the 5G core network. The flaw resides in the handling of the Packet Data Unit (PDU) session establishment process within the Network Function Virtualizations (NFVs), particularly affecting the User Plane Function (UPF) and Session Management Function (SMF). These components are critical for managing data sessions and routing user traffic in 5G networks. The vulnerability allows a remote attacker to send crafted network traffic that triggers a denial of service condition, causing the affected NFVs to crash or become unresponsive. This results in disruption of the PDU session establishment, effectively denying service to legitimate users. The vulnerability is exploitable without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation and significant impact on availability. The underlying weakness is classified under CWE-404 (Improper Resource Shutdown or Release), indicating that the affected components fail to properly handle resource cleanup during session establishment, leading to instability or crashes. No patches or fixes have been linked yet, and no active exploits have been reported, but the exposure of critical 5G core functions makes this a significant threat to network operators using Open 5GS.

The primary impact of CVE-2024-51179 is a denial of service condition affecting 5G core network functions, specifically the UPF and SMF, which are essential for managing user data sessions. Successful exploitation can disrupt the establishment of PDU sessions, leading to service outages or degraded network performance. This can affect mobile network operators, service providers, and enterprises relying on Open 5GS for their 5G infrastructure. The disruption could result in loss of connectivity for end users, impacting voice, data, and IoT services. Given the critical role of 5G networks in modern communications, such outages could have cascading effects on emergency services, industrial automation, and other latency-sensitive applications. While confidentiality and integrity are not directly impacted, the availability degradation poses a significant operational risk. The lack of authentication requirements and remote exploitability increase the likelihood of attacks, potentially by opportunistic attackers or nation-state actors targeting telecommunications infrastructure.

Organizations using Open 5GS version 2.7.1 should immediately assess their exposure to this vulnerability. Since no official patches are currently available, operators should implement network-level protections such as filtering and rate-limiting traffic directed at the UPF and SMF interfaces to mitigate potential exploitation. Deploying intrusion detection and prevention systems (IDS/IPS) with signatures tuned to detect anomalous PDU session establishment requests can help identify and block attack attempts. Network segmentation and isolation of NFV components can limit the blast radius of an attack. Monitoring system logs and performance metrics for signs of instability or crashes in UPF and SMF functions is critical for early detection. Operators should stay informed on updates from the Open 5GS project and apply patches promptly once released. Additionally, conducting regular security audits and penetration testing focused on 5G core network components will improve overall resilience against similar vulnerabilities.