CVE-2025-60632 is a denial of service vulnerability identified in Free5GC versions 4.0.0 and 4.0.1, specifically targeting the Npcf_BDTPolicyControl API. Free5GC is an open-source 5G core network implementation widely used for research, development, and some production environments. The vulnerability arises from improper handling of crafted POST requests to this API endpoint, which can cause the service to crash or become unresponsive, leading to denial of service. The vulnerability is classified under CWE-617 (Reachable Assertion), indicating that an assertion failure or similar logic flaw is triggered by malicious input. The CVSS v3.1 score of 6.5 reflects a medium severity level, with an attack vector over the network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact is limited to availability (A:H) with no confidentiality or integrity loss. No known exploits have been reported in the wild, and no official patches have been released at the time of publication. This vulnerability poses a risk to 5G core network stability, potentially disrupting subscriber services and network operations. Given the critical role of the Npcf_BDTPolicyControl API in managing policy control functions, exploitation could degrade network performance or cause outages. The lack of authentication requirements lowers the barrier for attackers to attempt exploitation, although user interaction (sending crafted requests) is necessary. This vulnerability underscores the importance of robust input validation and API security in 5G core components.

For European organizations, particularly telecommunications providers and network operators deploying Free5GC in their 5G core infrastructure, this vulnerability could lead to denial of service conditions affecting network availability. Service disruptions in 5G core functions can impact subscriber connectivity, degrade quality of service, and potentially cause cascading failures in dependent network services. This could result in customer dissatisfaction, regulatory scrutiny, and financial losses. Critical infrastructure relying on 5G for IoT, emergency services, and industrial applications may face operational risks. The medium severity indicates that while the vulnerability is not catastrophic, it still poses a tangible threat to network reliability. Since no known exploits exist yet, proactive mitigation is essential to prevent attackers from developing and deploying exploits. The impact is primarily on availability, with no direct compromise of data confidentiality or integrity, but availability issues in telecommunications can have widespread consequences.

European organizations should implement the following specific mitigation strategies: 1) Deploy network-level filtering and intrusion detection systems to monitor and block anomalous POST requests targeting the Npcf_BDTPolicyControl API. 2) Enforce strict input validation and sanitization on all API endpoints to prevent malformed requests from triggering service failures. 3) Isolate the vulnerable Free5GC components within segmented network zones to limit the blast radius of potential DoS attacks. 4) Implement rate limiting on API requests to reduce the risk of resource exhaustion from crafted requests. 5) Maintain up-to-date monitoring and logging to detect early signs of exploitation attempts. 6) Engage with Free5GC community and vendors for timely patches and updates once available. 7) Conduct regular security assessments and penetration testing focused on 5G core network components. 8) Prepare incident response plans specifically addressing 5G core service disruptions. These measures go beyond generic advice by focusing on the unique aspects of 5G core network security and the specific API involved.