CVE-2025-66719
free5GC · NRF
The free5GC NRF 1.4.0 access-token generation logic contains a flaw in the AccessTokenScopeCheck() function, allowing unauthorized access token generation.
Executive summary
An authentication bypass vulnerability in free5GC NRF 1.4.0 allows attackers to generate arbitrary access tokens, potentially leading to unauthorized network access.
Vulnerability
The vulnerability resides in the AccessTokenScopeCheck() function within internal/sbi/processor/access_token.go. By providing a crafted targetNF value, an attacker can bypass all scope validation checks during access token generation, granting them elevated privileges.
Business impact
With a CVSS score of 9.1 (Critical), this vulnerability presents a severe risk to 5G core network infrastructure. Exploitation allows an attacker to gain unauthorized access to network functions with arbitrary scopes, potentially leading to widespread service disruption, data exfiltration, and full compromise of the NRF (Network Repository Function) security model.
Remediation
Immediate Action: Update the free5GC NRF component to the latest patched version that addresses the scope validation bypass in the access_token.go file.
Proactive Monitoring: Audit access logs for unusual token generation requests and monitor for traffic originating from entities that should not possess specific network scopes.
Compensating Controls: Implement strict identity and access management (IAM) policies at the network layer to restrict communication between NRF components and untrusted entities.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability is highly severe as it undermines the fundamental trust model of the 5G core network. Administrators must treat this as a high-priority update and ensure that the access-token generation logic is strictly enforced across all deployments to prevent unauthorized privilege escalation.