A critical authentication bypass in the free5GC NEF component allows unauthenticated attackers to read sensitive PFD data and manipulate notification subscriptions.

The nnef-pfdmanagement route group is mounted without inbound OAuth2/bearer-token authorization, permitting unauthenticated access to PFD data retrieval and subscription management.

A CVSS score of 10 reflects the severe impact of this vulnerability, which enables an attacker to influence PFD application data and subscription notifications. This could lead to service disruption, unauthorized data exfiltration, or the poisoning of network policy configurations within the 5G core.

Immediate Action: Upgrade to free5GC version 4.2.2 or higher to enforce proper OAuth2 authentication for PFD management operations.

Proactive Monitoring: Monitor for anomalous GET/POST/DELETE requests targeting the NEF PFD management API endpoints.

Compensating Controls: Utilize a Service Mesh with strict authorization policies to intercept and block unauthorized requests to the NEF SBI interface.

Public Exploit Available: Unknown

Given the critical nature of core network policy components, immediate patching is required. Failure to secure these endpoints could allow attackers to manipulate critical network traffic and subscriber policies.