How to fix CVE-2025-69232?

Within 24 hours: Inventory all free5GC deployments and confirm affected versions (go-upf ≤1.2.6, SMF ≤1.4.0); document network exposure and isolation status. Within 7 days: Implement network segmentation to restrict untrusted input to SMF/go-upf components; enable protocol validation logging to detect exploitation attempts. Within 30 days: Monitor vendor releases for patches; establish upgrade plan with testing in non-production environment; coordinate with free5GC community for security advisories.

Is Smf affected by CVE-2025-69232?

A denial-of-service vulnerability affecting free5GC 5G core network infrastructure (versions up to 1.2.6 for go-upf and 1.4.0 for SMF) could allow attackers to disrupt mobile network services.

CVE-2025-69232

HIGH

2026-02-23 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 25, 2026 - 16:20 vuln.today

Public exploit code

CVE Published

Feb 23, 2026 - 22:16 nvd

HIGH 7.5

Description

free5GC is an open-source project for 5th generation (5G) mobile core networks. free5GC go-upf versions up to and including 1.2.6, corresponding to free5gc smf up to and including 1.4.0, have an Improper Input Validation and Protocol Compliance vulnerability leading to Denial of Service. Remote attackers can disrupt core network functionality by sending a malformed PFCP Association Setup Request. The UPF incorrectly accepts it, entering an inconsistent state that causes subsequent legitimate requests to trigger SMF reconnection loops and service degradation. All deployments of free5GC using the UPF and SMF components may be affected. As of time of publication, a fix is in development but not yet available. No direct workaround is available at the application level. Applying the official patch, once released, is recommended.

Analysis

Technical Context

Classified as CWE-20 (Improper Input Validation). Affects Go-Upf. free5GC is an open-source project for 5th generation (5G) mobile core networks. free5GC go-upf versions up to and including 1.2.6, corresponding to free5gc smf up to and including 1.4.0, have an Improper Input Validation and Protocol Compliance vulnerability leading to Denial of Service. Remote attackers can disrupt core network functionality by sending a malformed PFCP Association Setup Request. The UPF incorrectly accepts it, entering an inconsistent state that causes subsequent legitimate req

Affected Products

Vendor: Free5Gc. Product: Go-Upf.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +38

POC: +20

CVE-2025-69232 vulnerability details – vuln.today

Back

CVE-2025-69232

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-69232

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code