CVE-2025-70121 is an array index out of bounds vulnerability identified in the Access and Mobility Management Function (AMF) component of free5GC version 4.0.1, an open-source 5G core network implementation. The vulnerability arises in the GetSUCI method within the NAS_MobileIdentity5GS.go source file. Specifically, when processing a NAS Registration Request message containing a crafted 5GS Mobile Identity, the code attempts to access the sixth element (index 5) of a five-element array. This out-of-bounds access causes a runtime panic in the Go language environment, crashing the AMF process. Since the AMF is responsible for handling mobility management and registration procedures in 5G networks, its crash results in a denial of service condition, disrupting subscriber registration and mobility management. The vulnerability can be triggered remotely by an unauthenticated attacker sending a maliciously crafted NAS Registration Request message, requiring no user interaction. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability. No patches or mitigations are currently linked, and no known exploits have been reported in the wild. The underlying cause is a classic CWE-125 (Out-of-bounds Read) coding error, highlighting insufficient input validation and boundary checking in the AMF's NAS message parsing logic.

The primary impact of this vulnerability is a denial of service against the AMF component of free5GC-based 5G core networks. An attacker can remotely crash the AMF by sending a specially crafted NAS Registration Request, causing a runtime panic and service disruption. This leads to unavailability of mobility management and registration services for subscribers, potentially affecting large numbers of users depending on the deployment scale. Disruption of AMF services can degrade network reliability, cause call drops, prevent new device registrations, and impact overall subscriber experience. For operators relying on free5GC in production or test environments, this could result in significant operational downtime and loss of trust. While confidentiality and integrity are not directly impacted, the availability impact is critical for network continuity. The ease of exploitation and lack of required privileges increase the risk of opportunistic or targeted attacks. Given the central role of AMF in 5G core networks, this vulnerability poses a substantial risk to telecommunications providers and their customers.

To mitigate CVE-2025-70121, organizations should first monitor for updates or patches from the free5GC project and apply them promptly once available. In the absence of an official patch, temporary mitigations include implementing input validation and boundary checks on NAS Registration Request messages at network ingress points or within the AMF codebase if feasible. Deploying network-level filtering or anomaly detection to identify and block malformed NAS messages can reduce exposure. Operators should also consider deploying redundant AMF instances with failover capabilities to maintain service availability during an attack or crash event. Conducting thorough code reviews and fuzz testing on NAS message parsing components can help identify similar vulnerabilities proactively. Additionally, logging and monitoring AMF crashes and unusual NAS message patterns can aid in early detection of exploitation attempts. Finally, restricting network access to trusted entities and employing network segmentation can limit the attack surface.