{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/udm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-27642"}],"_cs_exploited":false,"_cs_products":["udm"],"_cs_severities":["medium"],"_cs_tags":["information-disclosure","input-validation","free5GC"],"_cs_type":"advisory","_cs_vendors":["free5gc"],"content_html":"\u003cp\u003eThe free5GC UDM (Unified Data Management) component, specifically versions up to and including v1.4.2, is vulnerable to an information disclosure vulnerability. The vulnerability lies in the \u003ccode\u003enudm-sdm\u003c/code\u003e service, where six GET handlers lack proper validation of the \u003ccode\u003esupi\u003c/code\u003e path parameter. This omission allows an unauthenticated attacker to inject control characters into the \u003ccode\u003esupi\u003c/code\u003e parameter. Consequently, the UDM forwards a malformed request to UDR (Unified Data Repository), leading to a \u003ccode\u003e500 Internal Server Error\u003c/code\u003e. This error response inadvertently exposes internal infrastructure details, including the UDR hostname and port, full internal API path structure, UDR API version, and internal service naming conventions. This vulnerability is a missed fix of CVE-2026-27642.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a GET request to a vulnerable UDM endpoint (\u003ccode\u003e/nudm-sdm/v2/:supi/smf-select-data\u003c/code\u003e, \u003ccode\u003e/nudm-sdm/v2/:supi/nssai\u003c/code\u003e, \u003ccode\u003e/nudm-sdm/v2/:supi/trace-data\u003c/code\u003e, \u003ccode\u003e/nudm-sdm/v2/:supi/sm-data\u003c/code\u003e, \u003ccode\u003e/nudm-sdm/v2/:supi\u003c/code\u003e, or \u003ccode\u003e/nudm-sdm/v2/:supi/ue-context-in-smf-data\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esupi\u003c/code\u003e parameter in the URL contains injected control characters (e.g., \u003ccode\u003e%00\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe UDM fails to validate the \u003ccode\u003esupi\u003c/code\u003e parameter using \u003ccode\u003evalidator.IsValidSupi()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe UDM constructs a URL to the UDR, incorporating the malformed \u003ccode\u003esupi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGo\u0026rsquo;s \u003ccode\u003enet/url\u003c/code\u003e parser rejects the malformed URL containing control characters.\u003c/li\u003e\n\u003cli\u003eThe UDM catches the parsing error.\u003c/li\u003e\n\u003cli\u003eThe UDM responds with a \u003ccode\u003e500 SYSTEM_FAILURE\u003c/code\u003e error, including internal details in the \u003ccode\u003edetail\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the \u003ccode\u003e500\u003c/code\u003e response containing sensitive internal information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn unauthenticated remote attacker can obtain internal infrastructure details by sending a crafted GET request to a vulnerable UDM endpoint. This information includes the internal UDR hostname and port, the full internal API path structure, the UDR API version, and the internal service naming convention. This information can then be used to facilitate further attacks against the UDR or other internal 5G core components.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the fix recommended by the vendor to include \u003ccode\u003evalidator.IsValidSupi()\u003c/code\u003e to all six affected handlers in \u003ccode\u003einternal/sbi/api_subscriberdatamanagement.go\u003c/code\u003e following the pattern already used in \u003ccode\u003eHandleGetAmData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP 500 responses from UDM endpoints containing \u0026ldquo;net/url: invalid control character in URL\u0026rdquo; in the response body (see example in content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting HTTP 500 responses with the string \u003ccode\u003enet/url: invalid control character in URL\u003c/code\u003e in the response body.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T02:09:58Z","date_published":"2026-05-07T02:09:58Z","id":"/briefs/2024-01-free5gc-udm-info-disclosure/","summary":"The free5GC UDM component fails to validate the `supi` path parameter in six GET handlers, allowing an unauthenticated attacker to inject control characters and trigger a `500 Internal Server Error` that exposes internal infrastructure details.","title":"Free5GC UDM Information Disclosure via Malformed Request","url":"https://feed.craftedsignal.io/briefs/2024-01-free5gc-udm-info-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Udm","version":"https://jsonfeed.org/version/1.1"}