CVE-2025-60638 is a denial of service (DoS) vulnerability identified in the Free5GC open-source 5G core network software, specifically versions 4.0.0 and 4.0.1. The vulnerability arises from improper handling of POST requests sent to the Nnssf_NSSAIAvailability API, a component responsible for managing Network Slice Selection Assistance Information (NSSAI) availability in the 5G core network. An attacker can craft a malicious POST request targeting this API endpoint to trigger a failure or crash, resulting in denial of service. This disrupts the normal operation of the 5G core network functions that rely on this API, potentially causing service interruptions or outages for subscribers. The vulnerability does not require authentication, meaning that any actor capable of sending HTTP POST requests to the affected API endpoint can exploit it. No user interaction is necessary, and no known exploits have been reported in the wild at the time of publication. The lack of a CVSS score indicates that the vulnerability is newly disclosed and pending further analysis. However, the impact on availability of critical 5G network functions and the ease of exploitation without authentication suggest a significant risk. Free5GC is an open-source 5G core network implementation used by telecom operators, research institutions, and vendors to deploy 5G networks. The affected versions are relatively recent, indicating that deployments running these versions are vulnerable until patched. The absence of published patches requires organizations to implement interim mitigations such as network segmentation and access controls to protect the vulnerable API endpoint.

The primary impact of CVE-2025-60638 is on the availability of 5G core network services that utilize Free5GC versions 4.0.0 and 4.0.1. Exploitation can lead to denial of service conditions, causing network slice selection failures and potentially broader disruptions in subscriber connectivity and service quality. For European organizations, especially telecom operators and service providers deploying Free5GC, this could result in degraded network performance, service outages, and customer dissatisfaction. Critical infrastructure relying on 5G connectivity, such as emergency services, industrial automation, and IoT deployments, may also be affected. The disruption could have cascading effects on business operations and national communications infrastructure. Additionally, the vulnerability could be leveraged as part of a larger attack campaign targeting telecom infrastructure, increasing the risk profile for European networks. The lack of authentication requirement lowers the barrier for exploitation, potentially enabling remote attackers to cause outages without insider access. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as awareness of the vulnerability spreads.

1. Monitor Free5GC project communications and security advisories closely for official patches addressing CVE-2025-60638 and apply them promptly once available. 2. Implement strict network segmentation to isolate the Nnssf_NSSAIAvailability API endpoint, restricting access only to trusted internal systems and authorized management networks. 3. Deploy Web Application Firewalls (WAFs) or API gateways with rules to detect and block anomalous or malformed POST requests targeting the vulnerable API endpoint. 4. Use network-level access controls such as IP whitelisting and VPNs to limit exposure of the Free5GC management and API interfaces to external networks. 5. Conduct regular security assessments and penetration testing focused on 5G core network components to identify and remediate similar vulnerabilities proactively. 6. Establish monitoring and alerting for unusual traffic patterns or repeated POST requests to the Nnssf_NSSAIAvailability API that could indicate exploitation attempts. 7. Collaborate with vendors and open-source communities to contribute to security improvements and share threat intelligence related to 5G core vulnerabilities. 8. Prepare incident response plans specific to 5G network disruptions to minimize downtime and coordinate rapid recovery in case of exploitation.