CVE-2025-6952 is a medium severity vulnerability identified in Open5GS, an open-source implementation of the 5G core network. The flaw exists in versions 2.7.0 through 2.7.5 within the AMF (Access and Mobility Management Function) service component, specifically in the function amf_state_operational located in the source file src/amf/amf-sm.c. The vulnerability manifests as a reachable assertion failure, which occurs when certain conditions in the code are met, causing the program to terminate unexpectedly. This type of vulnerability can lead to denial of service (DoS) conditions by crashing the AMF service, which is critical for managing user equipment registration, mobility, and session management in 5G networks. The attack vector requires local host access with low privileges (PR:L), no user interaction, and no elevated authentication, indicating that an attacker with limited local access can trigger the assertion failure. The CVSS 4.0 score of 4.8 reflects a medium severity, primarily due to the limited attack vector (local) and the impact being mostly on availability (denial of service) without direct confidentiality or integrity compromise. No known exploits are currently reported in the wild, and a patch has been identified (commit 53e9e059ed96b940f7ddcd9a2b68cb512524d5db) to remediate the issue. The vulnerability does not require network access or user interaction, which limits remote exploitation but still poses a risk in environments where local access can be obtained, such as multi-tenant systems or compromised hosts.

For European organizations deploying Open5GS as part of their 5G core network infrastructure, this vulnerability could lead to service disruptions due to the AMF component crashing. The AMF is essential for managing subscriber mobility and session states; thus, its failure can cause denial of service to end users, impacting network availability and potentially causing outages in critical communication services. This is particularly significant for telecom operators, private 5G network providers, and enterprises relying on 5G connectivity for operational continuity. While the vulnerability does not directly compromise data confidentiality or integrity, the availability impact can affect business operations, emergency services, and IoT deployments dependent on 5G connectivity. The requirement for local access reduces the risk of widespread remote exploitation but raises concerns in environments where attackers might gain local footholds, such as through insider threats or lateral movement after initial compromise. Given the strategic importance of 5G infrastructure in Europe’s digital economy and critical services, even medium severity vulnerabilities in core network components warrant prompt attention.

European organizations should immediately verify if their Open5GS deployments are running affected versions (2.7.0 to 2.7.5) and apply the official patch identified by commit 53e9e059ed96b940f7ddcd9a2b68cb512524d5db. Beyond patching, it is crucial to restrict and monitor local access to Open5GS hosts, implementing strict access controls and auditing to detect unauthorized local activity. Employing host-based intrusion detection systems (HIDS) can help identify attempts to exploit this vulnerability. Network segmentation should be enforced to isolate 5G core components from less trusted network zones, minimizing the risk of lateral movement. Additionally, organizations should conduct regular security assessments and penetration tests focusing on local privilege escalation and assertion failure scenarios. Maintaining up-to-date backups and failover mechanisms for the AMF service can reduce downtime in case of exploitation. Finally, integrating vulnerability management processes that include monitoring for new Open5GS vulnerabilities and timely patch deployment is essential to maintain a secure 5G core environment.