{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/free5gc/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-27642"}],"_cs_exploited":false,"_cs_products":["udm"],"_cs_severities":["medium"],"_cs_tags":["information-disclosure","input-validation","free5GC"],"_cs_type":"advisory","_cs_vendors":["free5gc"],"content_html":"\u003cp\u003eThe free5GC UDM (Unified Data Management) component, specifically versions up to and including v1.4.2, is vulnerable to an information disclosure vulnerability. The vulnerability lies in the \u003ccode\u003enudm-sdm\u003c/code\u003e service, where six GET handlers lack proper validation of the \u003ccode\u003esupi\u003c/code\u003e path parameter. This omission allows an unauthenticated attacker to inject control characters into the \u003ccode\u003esupi\u003c/code\u003e parameter. Consequently, the UDM forwards a malformed request to UDR (Unified Data Repository), leading to a \u003ccode\u003e500 Internal Server Error\u003c/code\u003e. This error response inadvertently exposes internal infrastructure details, including the UDR hostname and port, full internal API path structure, UDR API version, and internal service naming conventions. This vulnerability is a missed fix of CVE-2026-27642.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a GET request to a vulnerable UDM endpoint (\u003ccode\u003e/nudm-sdm/v2/:supi/smf-select-data\u003c/code\u003e, \u003ccode\u003e/nudm-sdm/v2/:supi/nssai\u003c/code\u003e, \u003ccode\u003e/nudm-sdm/v2/:supi/trace-data\u003c/code\u003e, \u003ccode\u003e/nudm-sdm/v2/:supi/sm-data\u003c/code\u003e, \u003ccode\u003e/nudm-sdm/v2/:supi\u003c/code\u003e, or \u003ccode\u003e/nudm-sdm/v2/:supi/ue-context-in-smf-data\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esupi\u003c/code\u003e parameter in the URL contains injected control characters (e.g., \u003ccode\u003e%00\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe UDM fails to validate the \u003ccode\u003esupi\u003c/code\u003e parameter using \u003ccode\u003evalidator.IsValidSupi()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe UDM constructs a URL to the UDR, incorporating the malformed \u003ccode\u003esupi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGo\u0026rsquo;s \u003ccode\u003enet/url\u003c/code\u003e parser rejects the malformed URL containing control characters.\u003c/li\u003e\n\u003cli\u003eThe UDM catches the parsing error.\u003c/li\u003e\n\u003cli\u003eThe UDM responds with a \u003ccode\u003e500 SYSTEM_FAILURE\u003c/code\u003e error, including internal details in the \u003ccode\u003edetail\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the \u003ccode\u003e500\u003c/code\u003e response containing sensitive internal information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn unauthenticated remote attacker can obtain internal infrastructure details by sending a crafted GET request to a vulnerable UDM endpoint. This information includes the internal UDR hostname and port, the full internal API path structure, the UDR API version, and the internal service naming convention. This information can then be used to facilitate further attacks against the UDR or other internal 5G core components.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the fix recommended by the vendor to include \u003ccode\u003evalidator.IsValidSupi()\u003c/code\u003e to all six affected handlers in \u003ccode\u003einternal/sbi/api_subscriberdatamanagement.go\u003c/code\u003e following the pattern already used in \u003ccode\u003eHandleGetAmData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP 500 responses from UDM endpoints containing \u0026ldquo;net/url: invalid control character in URL\u0026rdquo; in the response body (see example in content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting HTTP 500 responses with the string \u003ccode\u003enet/url: invalid control character in URL\u003c/code\u003e in the response body.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T02:09:58Z","date_published":"2026-05-07T02:09:58Z","id":"/briefs/2024-01-free5gc-udm-info-disclosure/","summary":"The free5GC UDM component fails to validate the `supi` path parameter in six GET handlers, allowing an unauthenticated attacker to inject control characters and trigger a `500 Internal Server Error` that exposes internal infrastructure details.","title":"Free5GC UDM Information Disclosure via Malformed Request","url":"https://feed.craftedsignal.io/briefs/2024-01-free5gc-udm-info-disclosure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pcf (\u003c 1.4.3)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","5g","pcf"],"_cs_type":"advisory","_cs_vendors":["free5gc"],"content_html":"\u003cp\u003eFree5GC PCF (Policy Control Function) versions prior to 1.4.3 contain an authentication bypass vulnerability (CVE-2026-42083) in the Npcf_SMPolicyControl service. The vulnerability stems from the absence of router authorization middleware for the \u003ccode\u003esmPolicyGroup\u003c/code\u003e route, allowing unauthenticated requests to reach sensitive SM policy handlers. An attacker able to reach the PCF SBI interface can directly invoke these handlers, potentially gaining access to subscriber identifiers including SUPI (Subscriber Permanent Identifier) and other policy context data. This issue was resolved in free5gc/pcf PR #63 by adding \u003ccode\u003eRouterAuthorizationCheck\u003c/code\u003e to \u003ccode\u003esmPolicyGroup\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Free5GC PCF instance running a version prior to 1.4.3.\u003c/li\u003e\n\u003cli\u003eThe attacker gains network access to the PCF SBI (Service Based Interface).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated HTTP POST request to \u003ccode\u003e/npcf-smpolicycontrol/v1/sm-policies\u003c/code\u003e to create a new SM policy.\u003c/li\u003e\n\u003cli\u003eThe PCF, lacking proper authentication, processes the request without verifying the attacker\u0026rsquo;s identity.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated HTTP GET request to \u003ccode\u003e/npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}\u003c/code\u003e to retrieve the newly created policy.\u003c/li\u003e\n\u003cli\u003eThe PCF returns the policy context, which may contain sensitive subscriber identifiers such as \u003ccode\u003esupi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits this vulnerability to gain unauthorized access to subscriber information and manipulate SM policies.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis authentication bypass vulnerability allows unauthorized access to subscriber data and policy control functions within the 5G core network. If exploited, an attacker could potentially gain access to sensitive subscriber information, disrupt network services, or manipulate policy settings. Successful exploitation allows unauthorized actors to invoke Npcf_SMPolicyControl handlers directly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Free5GC PCF to version 1.4.3 or later to patch CVE-2026-42083.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Unauthenticated PCF SM Policy Access\u003c/code\u003e to identify unauthenticated requests to the vulnerable endpoints.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to the PCF SBI interface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-free5gc-auth-bypass/","summary":"Free5GC PCF versions prior to 1.4.3 are vulnerable to an authentication bypass due to missing middleware, allowing unauthenticated access to SM policy handlers and disclosure of subscriber SUPI.","title":"Free5GC PCF Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-free5gc-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Free5gc","version":"https://jsonfeed.org/version/1.1"}