EUVD-2026-19642
GHSA-j69j-3gv3-pwvg
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication.
Analysis
Authentication bypass in OpenAirInterface V2.2.0 Access Management Function (AMF) allows unauthenticated remote attackers to register unauthorized User Equipment (UE) devices on 5G core networks. Exploiting incorrect state machine transitions during UE registration, attackers send SecurityModeComplete messages after InitialUERegistration to trigger registration acceptance without completing proper authentication procedures. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all instances of OpenAirInterface V2.2.0 in production or pre-production environments and isolate affected AMF systems from live network traffic if operationally feasible. Within 7 days: Implement network segmentation to restrict UE registration attempts to authorized device ranges; deploy monitoring on SecurityModeComplete message sequences for anomalous state transitions; contact OpenAirInterface project for remediation timeline. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today