CVE-2025-65805 identifies a buffer overflow vulnerability in the OpenAirInterface (OAI) 5G Core Access and Mobility Management Function (AMF) component, specifically in versions up to 2.1.9. The vulnerability is triggered when the AMF processes NAS (Non-Access Stratum) messages containing an IMSI (International Mobile Subscriber Identity) string exceeding 1000 characters, which is significantly longer than typical IMSI lengths. The AMF listens on the N1 interface, which connects the 5G User Equipment (UE) to the core network. Due to insufficient input validation on the length of the IMSI string within NAS messages, an attacker can send a crafted message to overflow the buffer. This overflow can lead to a denial-of-service (DoS) condition by crashing the AMF or, more critically, enable remote code execution (RCE) if the attacker can control the overflow data to inject malicious code. Exploitation requires network access to the N1 port but does not require any authentication or user interaction, making it a remotely exploitable vulnerability. The AMF is a critical component responsible for managing UE registration, connection, and mobility in the 5G core network, so disruption or compromise can severely impact network availability and security. No patches or exploits are currently publicly documented, but the vulnerability is publicly disclosed and reserved under CVE-2025-65805. The lack of a CVSS score indicates that detailed impact metrics are not yet assigned, but the nature of the vulnerability suggests a high risk. This vulnerability is particularly relevant for operators and vendors deploying OAI CN5G AMF in production environments, especially in Europe where OAI is used in research and some commercial 5G deployments.

The impact of CVE-2025-65805 on European organizations, particularly telecom operators and 5G service providers, can be significant. The AMF is a core network function that manages subscriber access and mobility; a successful exploit could lead to denial-of-service conditions, disrupting network availability and subscriber connectivity. More severe exploitation could allow attackers to execute arbitrary code on the AMF, potentially leading to full compromise of the 5G core network component. This could enable interception or manipulation of subscriber data, unauthorized access to network functions, or lateral movement within the operator’s infrastructure. Given the critical role of 5G networks in supporting essential services, industrial IoT, and public safety communications, such disruptions could have cascading effects on business operations and public services. European organizations relying on OpenAirInterface CN5G AMF without mitigations are at risk of service outages and data breaches. The threat is heightened by the remote, unauthenticated nature of the exploit, increasing the attack surface. Additionally, the lack of current public exploits means organizations should proactively address the vulnerability before exploitation occurs.

To mitigate CVE-2025-65805, European operators and organizations using OpenAirInterface CN5G AMF should: 1) Monitor official OpenAirInterface project channels for patches or updates addressing this vulnerability and apply them promptly once available. 2) Implement strict network segmentation and firewall rules to restrict access to the N1 interface, limiting it only to trusted and authenticated devices to reduce exposure. 3) Deploy intrusion detection and prevention systems (IDS/IPS) capable of detecting anomalous NAS message lengths or malformed IMSI strings to block potential exploit attempts. 4) Conduct thorough input validation on NAS messages at the network edge or within the AMF if possible, to reject messages with abnormally long IMSI strings. 5) Regularly audit and monitor AMF logs for unusual activity or crashes that could indicate exploitation attempts. 6) Consider deploying redundant AMF instances and failover mechanisms to maintain service availability in case of DoS attacks. 7) Engage with vendors and open-source communities to share threat intelligence and coordinate response efforts. These measures go beyond generic advice by focusing on network-level controls, proactive detection, and operational resilience specific to the AMF and 5G core context.