CVE-2025-60632 is a denial of service (DoS) vulnerability identified in Free5GC versions 4.0.0 and 4.0.1, which are open-source implementations of the 5G core network. The vulnerability arises from improper handling of POST requests sent to the Npcf_BDTPolicyControl API, a network function responsible for managing the binding and data transfer policies within the 5G core. An attacker can craft a malicious POST request that triggers a failure condition in this API, causing the affected network function to crash or become unresponsive. This results in denial of service, potentially disrupting the 5G core network's ability to enforce policy control and manage data traffic effectively. The vulnerability does not require authentication or user interaction, making it easier for remote attackers to exploit if they have network access to the API endpoint. Although no known exploits have been reported in the wild, the impact on availability of critical 5G infrastructure components is significant. The lack of a CVSS score indicates that the vulnerability is newly published and has not yet undergone formal severity assessment. Free5GC is increasingly adopted by telecom operators and research institutions for 5G core network deployments, making this vulnerability relevant to organizations relying on this software for their 5G infrastructure.

The primary impact of CVE-2025-60632 is the disruption of 5G core network services due to denial of service on the Npcf_BDTPolicyControl API. For European organizations, especially telecom operators and service providers deploying Free5GC, this could lead to partial or complete loss of policy control functions, affecting subscriber data routing and quality of service enforcement. Such disruptions may degrade network performance, cause service outages, and impact end-user connectivity and experience. Given the critical role of 5G networks in supporting IoT, industrial automation, and emergency services, the vulnerability could have broader economic and societal consequences. Additionally, denial of service conditions could be leveraged as part of multi-stage attacks targeting telecom infrastructure. The absence of authentication requirements for exploitation increases the risk of remote attacks from within or near the network perimeter. European organizations involved in 5G research, development, and deployment using Free5GC are particularly vulnerable, potentially affecting national telecom infrastructure resilience and security.

To mitigate CVE-2025-60632, European organizations should prioritize upgrading Free5GC to a patched version once available from the maintainers. In the interim, network administrators should implement strict access controls and firewall rules to restrict access to the Npcf_BDTPolicyControl API endpoint, allowing only trusted network entities to communicate with it. Deploying Web Application Firewalls (WAFs) or API gateways capable of detecting and blocking malformed or suspicious POST requests can reduce exposure. Monitoring network traffic for unusual patterns targeting the policy control API is recommended to detect potential exploitation attempts early. Additionally, organizations should conduct thorough input validation and implement rate limiting on API endpoints to prevent flooding attacks. Regular security audits and penetration testing focused on 5G core components can help identify and remediate similar vulnerabilities proactively. Collaboration with Free5GC developers and the wider 5G security community is advised to stay informed about patches and best practices.