CVE-2025-60638 is a denial of service (DoS) vulnerability identified in Free5GC versions 4.0.0 and 4.0.1, specifically targeting the Nnssf_NSSAIAvailability API. Free5GC is an open-source 5G core network implementation widely used for research, development, and some production environments. The vulnerability arises from the API's inadequate handling of crafted POST requests, which can exhaust system resources, leading to a crash or unresponsiveness of the affected service. This is classified under CWE-400, indicating uncontrolled resource consumption. The attack requires no authentication or user interaction and can be executed remotely over the network, making exploitation relatively straightforward. The CVSS v3.1 score of 7.5 reflects a high severity due to the significant impact on availability, although confidentiality and integrity remain unaffected. No patches or fixes have been published at the time of disclosure, and no active exploits have been reported. The vulnerability poses a risk to 5G network operators and service providers using Free5GC, potentially causing service disruptions that affect mobile network availability and reliability. Given the critical role of 5G infrastructure, such disruptions could have cascading effects on dependent services and users.

For European organizations, especially telecommunications providers and infrastructure operators utilizing Free5GC, this vulnerability could lead to significant service outages in 5G core network functions. Disruption of the Nnssf_NSSAIAvailability API can impair network slice selection services, which are essential for managing differentiated 5G services and quality of service guarantees. This could degrade user experience, interrupt critical communications, and impact business operations relying on 5G connectivity. Additionally, service downtime could lead to regulatory scrutiny and financial penalties under European data protection and telecommunications regulations. The broader impact includes potential erosion of trust in 5G services and increased operational costs due to incident response and mitigation efforts. Organizations relying on third-party 5G core providers using Free5GC may also face indirect risks. The lack of known exploits currently provides a window for proactive defense, but the ease of exploitation necessitates urgent attention.

Until official patches are released, European organizations should implement strict network access controls to limit exposure of the Nnssf_NSSAIAvailability API to trusted entities only, ideally isolating it behind firewalls or VPNs. Deploying rate limiting and anomaly detection on API endpoints can help identify and block suspicious POST requests indicative of exploitation attempts. Monitoring network traffic and system logs for unusual spikes or failures related to the API is critical for early detection. Organizations should engage with Free5GC community and vendors for timely updates and patches. Conducting thorough security assessments and penetration testing on 5G core components can uncover additional weaknesses. Where feasible, deploying redundant or failover systems can mitigate service disruption impact. Finally, updating incident response plans to include this vulnerability scenario will improve readiness.