The vulnerability identified as CVE-2025-66719 affects Free5gc NRF version 1.4.0, specifically within the access-token generation logic. The function AccessTokenScopeCheck(), located in internal/sbi/processor/access_token.go, is responsible for validating the scope of access tokens issued to network functions. However, due to improper validation logic, when an attacker crafts a specific targetNF value, the function bypasses all scope checks. This means that an attacker can request and obtain access tokens with arbitrary scopes, effectively granting them unauthorized permissions within the 5G core network. The NRF (Network Repository Function) is a pivotal component in the 5G core architecture, managing the registration and discovery of network functions and enforcing access control policies. By exploiting this flaw, an attacker could impersonate or escalate privileges across network functions, potentially leading to unauthorized data access, manipulation of network services, or disruption of 5G network operations. The vulnerability does not require user interaction but does require the attacker to send crafted requests to the NRF interface, which may be exposed internally or externally depending on network configuration. No CVSS score has been assigned yet, and no public patches or exploits are currently known. This vulnerability highlights a critical weakness in access control enforcement within a fundamental 5G core component.

For European organizations, particularly telecom operators and service providers deploying Free5gc or its derivatives, this vulnerability poses a significant risk. Unauthorized access tokens with arbitrary scopes can allow attackers to bypass security controls, access sensitive subscriber data, manipulate network functions, or disrupt service availability. This could lead to breaches of confidentiality, integrity, and availability of 5G network services. Given the increasing reliance on 5G for critical infrastructure, industrial IoT, and public safety communications in Europe, exploitation could have cascading effects beyond telecom networks, impacting other sectors dependent on 5G connectivity. The absence of known exploits currently provides a window for proactive mitigation, but the critical nature of the NRF function means that any successful exploit could have widespread and severe consequences.

1. Implement strict input validation on the targetNF parameter within the access-token generation logic to prevent crafted values from bypassing scope checks. 2. Conduct thorough code audits and security reviews of the access token generation and validation processes in Free5gc NRF implementations. 3. Monitor NRF logs and network traffic for anomalous or unexpected access token requests, especially those with unusual targetNF values or scopes. 4. Restrict access to the NRF interface to trusted internal networks and enforce strong authentication and authorization controls. 5. Engage with Free5gc maintainers or vendors for timely patches or updates addressing this vulnerability. 6. Deploy network segmentation and zero-trust principles to limit the impact of potential token misuse. 7. Prepare incident response plans specific to 5G core network compromises, including token misuse scenarios. 8. Consider deploying additional runtime application self-protection (RASP) or Web Application Firewall (WAF) solutions tailored to 5G core network components to detect and block exploitation attempts.