CVE-2024-24430

CVE-2024-24430 is a reachable assertion vulnerability in the mme_ue_find_by_imsi function of Open5GS versions up to and including 2.6.4. This flaw affects the open-source 5G core network implementation, enabling attackers to trigger a Denial of Service (DoS) condition through a specially crafted NAS (Non-Access Stratum) packet. The issue is classified under CWE-617 and was published on 2025-01-22 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact disruption without compromising confidentiality or integrity.

Remote attackers with network access to the vulnerable Open5GS deployment can exploit this vulnerability by sending a malicious NAS packet, which triggers the assertion failure in the MME (Mobility Management Entity) user equipment lookup function by IMSI. No authentication or privileges are required, and the attack requires low complexity with no user interaction. Successful exploitation results in a DoS, such as application crashes or service unavailability, potentially disrupting core network functions for affected users or the entire system.

Mitigation details and patches are referenced in advisories available at https://cellularsecurity.org/ransacked. Security practitioners should consult these resources for upgrade instructions to remediate the vulnerability in Open5GS deployments.