CVE-2025-66719

free5GC · NRF

The free5GC NRF 1.4.0 access-token generation logic contains a flaw in the AccessTokenScopeCheck() function, allowing unauthorized access token generation.

Executive summary

An authentication bypass vulnerability in free5GC NRF 1.4.0 allows attackers to generate arbitrary access tokens, potentially leading to unauthorized network access.

Vulnerability

The vulnerability resides in the AccessTokenScopeCheck() function within internal/sbi/processor/access_token.go. By providing a crafted targetNF value, an attacker can bypass all scope validation checks during access token generation, granting them elevated privileges.

Business impact

With a CVSS score of 9.1 (Critical), this vulnerability presents a severe risk to 5G core network infrastructure. Exploitation allows an attacker to gain unauthorized access to network functions with arbitrary scopes, potentially leading to widespread service disruption, data exfiltration, and full compromise of the NRF (Network Repository Function) security model.

Remediation

Immediate Action: Update the free5GC NRF component to the latest patched version that addresses the scope validation bypass in the access_token.go file.

Proactive Monitoring: Audit access logs for unusual token generation requests and monitor for traffic originating from entities that should not possess specific network scopes.

Compensating Controls: Implement strict identity and access management (IAM) policies at the network layer to restrict communication between NRF components and untrusted entities.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability is highly severe as it undermines the fundamental trust model of the 5G core network. Administrators must treat this as a high-priority update and ensure that the access-token generation logic is strictly enforced across all deployments to prevent unauthorized privilege escalation.