CVE-2025-66786: OAI CN5G AMF: unauthenticated JSON DoS on 5G SBI interface

HIGH CISA: TRACK*
Published January 7, 2026
CISO Take

OpenAirInterface 5G Core AMF (v2.0.1 and below) has a logic flaw in its JSON parser on the Service-Based Interface (SBI) that lets any unauthenticated attacker on the network crash the function with a single malicious HTTP request — no credentials, no complexity, no user interaction required (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). AMF is the 5G core's access control brain; taking it down disconnects all attached UEs, which matters directly to organizations running private 5G networks that carry AI edge inference traffic, IoT telemetry pipelines, or AI-enabled industrial workloads. While there is no public exploit and the vulnerability is not in CISA KEV, the trivially-low attack complexity on a network-exposed API with 13,670 downstream dependents is a meaningful exposure window. Operators should immediately restrict SBI interface reachability to trusted internal 5G core segments and monitor for anomalous JSON payloads until an official patch or workaround from the OpenAirInterface project is confirmed — the sole reference link in the advisory is currently broken.

Sources: NVD ATLAS OpenSSF

What is the risk?

Risk is HIGH for organizations operating private 5G deployments (telecom labs, enterprise 5G, research networks). Attack complexity is trivial: unauthenticated network access plus a crafted JSON payload is all that is required. Availability impact is total for connected devices — an AMF outage means all UEs lose network registration. The broken advisory reference makes patch availability unclear, extending the exposure window. For pure cloud AI workloads with no 5G dependency, risk is LOW. For 5G-connected AI edge deployments (manufacturing, healthcare, autonomous systems), risk is HIGH given the availability-only but operationally critical impact.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenAI Python pip No patch
31.1K OpenSSF 6.9 17.3K dependents Pushed 13d ago 14% patched ~23d to patch Full package profile →

Do you use OpenAI Python? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 24% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps
  1. Restrict AMF SBI interface (typically TCP 80/443) to authorized 5G core network segments via firewall or network policy — prevent any untrusted host from reaching it.

  2. Monitor for unrecognized or malformed JSON payloads on SBI endpoints using network IDS signatures targeting CWE-20 patterns.

  3. Apply the upstream patch from the OpenAirInterface project as soon as it is published; track the GitHub repository at open-air-interface/oai-cn5g-amf for releases beyond v2.0.1.

  4. If a patch is not yet available, consider deploying a WAF or API gateway in front of the SBI that enforces JSON schema validation and rejects malformed bodies.

  5. Establish out-of-band alerting for AMF process crashes to detect exploitation attempts in production.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System Article 9 - Risk management system
ISO 42001
A.6.5 - AI system operation A.9.2 - AI System Availability and Resilience
NIST AI RMF
GOVERN-6.1 - Policies and procedures for AI risk management MANAGE-2.4 - Residual Risks and Recovery
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2025-66786?

OpenAirInterface 5G Core AMF (v2.0.1 and below) has a logic flaw in its JSON parser on the Service-Based Interface (SBI) that lets any unauthenticated attacker on the network crash the function with a single malicious HTTP request — no credentials, no complexity, no user interaction required (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). AMF is the 5G core's access control brain; taking it down disconnects all attached UEs, which matters directly to organizations running private 5G networks that carry AI edge inference traffic, IoT telemetry pipelines, or AI-enabled industrial workloads. While there is no public exploit and the vulnerability is not in CISA KEV, the trivially-low attack complexity on a network-exposed API with 13,670 downstream dependents is a meaningful exposure window. Operators should immediately restrict SBI interface reachability to trusted internal 5G core segments and monitor for anomalous JSON payloads until an official patch or workaround from the OpenAirInterface project is confirmed — the sole reference link in the advisory is currently broken.

Is CVE-2025-66786 actively exploited?

No confirmed active exploitation of CVE-2025-66786 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-66786?

1. Restrict AMF SBI interface (typically TCP 80/443) to authorized 5G core network segments via firewall or network policy — prevent any untrusted host from reaching it. 2. Monitor for unrecognized or malformed JSON payloads on SBI endpoints using network IDS signatures targeting CWE-20 patterns. 3. Apply the upstream patch from the OpenAirInterface project as soon as it is published; track the GitHub repository at open-air-interface/oai-cn5g-amf for releases beyond v2.0.1. 4. If a patch is not yet available, consider deploying a WAF or API gateway in front of the SBI that enforces JSON schema validation and rejects malformed bodies. 5. Establish out-of-band alerting for AMF process crashes to detect exploitation attempts in production.

What systems are affected by CVE-2025-66786?

This vulnerability affects the following AI/ML architecture patterns: 5G edge AI deployments, AI-enabled IoT pipelines over private 5G, Model serving at the network edge.

What is the CVSS score for CVE-2025-66786?

CVE-2025-66786 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.32%.

What is the AI security impact?

Affected AI Architectures

5G edge AI deploymentsAI-enabled IoT pipelines over private 5GModel serving at the network edge

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9, Article 9
ISO 42001: A.6.5, A.9.2
NIST AI RMF: GOVERN-6.1, MANAGE-2.4
OWASP LLM Top 10: LLM10:2025

What are the technical details?

Original Advisory

OpenAirInterface CN5G AMF<=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized remote attackers can send malicious JSON data to AMF's SBI interface to launch a denial-of-service attack.

Exploitation Scenario

An adversary with access to the same network segment as the 5G core (e.g., a compromised edge node, a rogue UE, or an insider on the management network) sends a single HTTP POST request to the AMF's SBI endpoint containing a crafted malicious JSON body that triggers the logic error. The AMF process crashes or enters an unresponsive state. All UEs attempting to register or that are currently registered lose network connectivity. In an AI edge deployment scenario — such as a smart factory running real-time defect detection on 5G-connected cameras — this outage halts all AI inference at the edge until the AMF is manually restarted, potentially creating a physical safety window with no AI monitoring active.

Weaknesses (CWE)

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

  • [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
  • [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Timeline

Published
January 7, 2026
Last Modified
January 29, 2026
First Seen
January 7, 2026

Related Vulnerabilities