https://feed.craftedsignal.io/vendors/free5gc/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 07 May 2026 02:09:58 +0000https://feed.craftedsignal.io/briefs/2024-01-free5gc-udm-info-disclosure/Thu, 07 May 2026 02:09:58 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-free5gc-udm-info-disclosure/The free5GC UDM component fails to validate the `supi` path parameter in six GET handlers, allowing an unauthenticated attacker to inject control characters and trigger a `500 Internal Server Error` that exposes internal infrastructure details.The free5GC UDM (Unified Data Management) component, specifically versions up to and including v1.4.2, is vulnerable to an information disclosure vulnerability. The vulnerability lies in the nudm-sdm service, where six GET handlers lack proper validation of the supi path parameter. This omission allows an unauthenticated attacker to inject control characters into the supi parameter. Consequently, the UDM forwards a malformed request to UDR (Unified Data Repository), leading to a 500 Internal Server Error. This error response inadvertently exposes internal infrastructure details, including the UDR hostname and port, full internal API path structure, UDR API version, and internal service naming conventions. This vulnerability is a missed fix of CVE-2026-27642.

Attack Chain

1. The attacker sends a GET request to a vulnerable UDM endpoint (/nudm-sdm/v2/:supi/smf-select-data, /nudm-sdm/v2/:supi/nssai, /nudm-sdm/v2/:supi/trace-data, /nudm-sdm/v2/:supi/sm-data, /nudm-sdm/v2/:supi, or /nudm-sdm/v2/:supi/ue-context-in-smf-data).
2. The supi parameter in the URL contains injected control characters (e.g., %00).
3. The UDM fails to validate the supi parameter using validator.IsValidSupi().
4. The UDM constructs a URL to the UDR, incorporating the malformed supi.
5. Go’s net/url parser rejects the malformed URL containing control characters.
6. The UDM catches the parsing error.
7. The UDM responds with a 500 SYSTEM_FAILURE error, including internal details in the detail field.
8. The attacker receives the 500 response containing sensitive internal information.

Impact

An unauthenticated remote attacker can obtain internal infrastructure details by sending a crafted GET request to a vulnerable UDM endpoint. This information includes the internal UDR hostname and port, the full internal API path structure, the UDR API version, and the internal service naming convention. This information can then be used to facilitate further attacks against the UDR or other internal 5G core components.

Recommendation

• Apply the fix recommended by the vendor to include validator.IsValidSupi() to all six affected handlers in internal/sbi/api_subscriberdatamanagement.go following the pattern already used in HandleGetAmData.
• Monitor web server logs for HTTP 500 responses from UDM endpoints containing “net/url: invalid control character in URL” in the response body (see example in content).
• Deploy the Sigma rule detecting HTTP 500 responses with the string net/url: invalid control character in URL in the response body.

]]>mediumadvisoryinformation-disclosureinput-validationfree5GChttps://feed.craftedsignal.io/briefs/2024-01-free5gc-auth-bypass/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-free5gc-auth-bypass/Free5GC PCF versions prior to 1.4.3 are vulnerable to an authentication bypass due to missing middleware, allowing unauthenticated access to SM policy handlers and disclosure of subscriber SUPI.Free5GC PCF (Policy Control Function) versions prior to 1.4.3 contain an authentication bypass vulnerability (CVE-2026-42083) in the Npcf_SMPolicyControl service. The vulnerability stems from the absence of router authorization middleware for the smPolicyGroup route, allowing unauthenticated requests to reach sensitive SM policy handlers. An attacker able to reach the PCF SBI interface can directly invoke these handlers, potentially gaining access to subscriber identifiers including SUPI (Subscriber Permanent Identifier) and other policy context data. This issue was resolved in free5gc/pcf PR #63 by adding RouterAuthorizationCheck to smPolicyGroup.

Attack Chain

1. An attacker identifies a vulnerable Free5GC PCF instance running a version prior to 1.4.3.
2. The attacker gains network access to the PCF SBI (Service Based Interface).
3. The attacker sends an unauthenticated HTTP POST request to /npcf-smpolicycontrol/v1/sm-policies to create a new SM policy.
4. The PCF, lacking proper authentication, processes the request without verifying the attacker’s identity.
5. The attacker sends an unauthenticated HTTP GET request to /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId} to retrieve the newly created policy.
6. The PCF returns the policy context, which may contain sensitive subscriber identifiers such as supi.
7. The attacker exploits this vulnerability to gain unauthorized access to subscriber information and manipulate SM policies.

Impact

This authentication bypass vulnerability allows unauthorized access to subscriber data and policy control functions within the 5G core network. If exploited, an attacker could potentially gain access to sensitive subscriber information, disrupt network services, or manipulate policy settings. Successful exploitation allows unauthorized actors to invoke Npcf_SMPolicyControl handlers directly.

Recommendation

• Upgrade Free5GC PCF to version 1.4.3 or later to patch CVE-2026-42083.
• Deploy the Sigma rule Detect Unauthenticated PCF SM Policy Access to identify unauthenticated requests to the vulnerable endpoints.
• Implement network segmentation to restrict access to the PCF SBI interface.

]]>highadvisoryauthentication-bypass5gpcf