CVE-2025-63288 is a vulnerability identified in Open5GS version 2.7.6, an open-source 5G core network implementation. The flaw resides in the Access and Mobility Management Function (AMF), a critical component responsible for managing user equipment registration, connection, and mobility. Specifically, the AMF crashes when it receives an abnormal NGSetupRequest message, which is part of the NG interface setup procedure between the 5G core and the gNodeB (5G base station). The abnormal message likely violates protocol expectations or contains malformed data that the AMF fails to handle gracefully, resulting in a denial of service (DoS) condition. This crash disrupts the AMF's ability to process legitimate network setup requests, leading to potential service outages or degraded network performance. The vulnerability does not require authentication, meaning an attacker with network access to the AMF interface could exploit it by sending crafted NGSetupRequest messages. No CVSS score is assigned yet, and no public exploits have been reported. However, the impact on network availability is significant given the AMF's central role in 5G core operations. Open5GS is widely used in research, testing, and some production environments, especially in cost-sensitive or experimental deployments. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for proactive mitigation.

For European organizations, particularly telecom operators and service providers deploying Open5GS 2.7.6, this vulnerability poses a substantial risk to 5G network availability. A successful exploit could cause AMF crashes, leading to denial of service that disrupts user registrations, mobility management, and session establishment. This disruption can degrade customer experience, cause revenue loss, and impact critical services relying on 5G connectivity. Given the increasing reliance on 5G for industrial automation, smart cities, and emergency services in Europe, such outages could have broader societal and economic consequences. Additionally, the ease of triggering the crash without authentication increases the attack surface, especially if the AMF interfaces are exposed or insufficiently segmented. While no exploits are currently known in the wild, the vulnerability's presence in a core network component makes it a high-value target for attackers aiming to cause widespread disruption or to leverage as part of multi-stage attacks.

European organizations should immediately audit their 5G core network deployments to identify if Open5GS version 2.7.6 is in use, particularly the AMF component. Network segmentation and strict access controls should be enforced to limit exposure of the AMF interface to untrusted networks. Deploy network intrusion detection systems (NIDS) with custom signatures to detect and alert on abnormal NGSetupRequest messages or malformed NG interface traffic. Operators should engage with the Open5GS community or vendors to obtain patches or updates addressing this vulnerability as soon as they become available. In the interim, consider implementing rate limiting or filtering on NG interface traffic to mitigate potential DoS attempts. Regularly monitor AMF logs and system health metrics for signs of crashes or instability. For critical deployments, consider fallback or redundancy mechanisms to maintain service continuity if the AMF crashes. Finally, update incident response plans to include scenarios involving 5G core component failures due to malformed protocol messages.