CVE-2025-41067

HIGH

open5gs < 2.7.6 - Denial of Service via NRF Registry Deletion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-41067. PoCs published by xvk1t1.

AI-analyzed exploit summary The repository contains two Python scripts demonstrating DoS vulnerabilities in Open5GS NRF. CVE-2025-41067 triggers a crash by deleting self-referential NRF instances, while CVE-2025-41068 exploits invalid NF type registration.

Description

Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. An SBI request that deletes the NRF's own registry causes a check that ends up crashing the NRF process and renders the discovery service unavailable.

Exploits (1)

nomisec WORKING POC
by xvk1t1 · poc
https://github.com/xvk1t1/Open5GS-CVE-2025-41067-CVE-2025-41068-PoC

The repository contains two Python scripts demonstrating DoS vulnerabilities in Open5GS NRF. CVE-2025-41067 triggers a crash by deleting self-referential NRF instances, while CVE-2025-41068 exploits invalid NF type registration.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Open5GS (versions prior to 2.7.6)
No auth needed
Prerequisites: Network access to NRF HTTP/2 interface (port 7777)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.0036
EPSS Percentile 27.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-617
Status published
Products (1)
open5gs/open5gs < 2.7.5
Published Oct 27, 2025
Tracked Since Feb 18, 2026