📄 Description (English)
free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription is deleted regardless. An unauthenticated attacker with access to the 5G Service Based Interface can delete arbitrary Traffic Influence Subscriptions by supplying any value for the influenceId path segment, while the API misleadingly returns a 404 Not Found response. A patched version was not available at the time of publication.
🤖 AI Executive Summary
CVE-2026-40246 is a critical authentication bypass vulnerability in free5GC UDR service (v1.4.2 and below) that allows unauthenticated attackers to delete arbitrary Traffic Influence Subscriptions through improper validation logic. The vulnerability exists because the deletion handler fails to return after sending a 404 response when validation fails, allowing execution to continue and delete subscriptions regardless. This directly impacts 5G core network integrity and service availability, with no patch currently available.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 2, 2026 21:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses severe risk to Saudi telecommunications infrastructure, particularly STC (Saudi Telecom Company) and other licensed 5G operators deploying free5GC. The vulnerability enables denial of service attacks against 5G core network services, disrupting traffic management and subscriber services. Government entities using 5G infrastructure for critical communications and ARAMCO's industrial IoT deployments are at risk. The lack of authentication requirement makes this exploitable from the 5G Service Based Interface, potentially by compromised network elements or insider threats. Banking and financial services relying on 5G connectivity for transaction processing face indirect impact through service disruption.
🏢 Affected Saudi Sectors
Telecommunications (STC, Zain, Mobily, Virgin Mobile)
Government (NCA, critical infrastructure)
Banking and Financial Services (5G-dependent transaction processing)
Energy (ARAMCO, industrial IoT over 5G)
Healthcare (5G-enabled telemedicine and remote monitoring)
Defense and Security
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application (5G SBI exposure)
T1589 - Gather Victim Identity Information (subscription enumeration)
T1561 - Disk Wipe (subscription data deletion)
T1499 - Endpoint Denial of Service (service disruption via subscription deletion)
T1556 - Modify Authentication Process (authentication bypass)
T1087 - Account Discovery (subscription enumeration)
T1531 - Account Access Removal (subscription deletion)
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all free5GC UDR service deployments in your 5G network to identify affected versions (1.4.2 and below)
2. Implement network segmentation to restrict access to the 5G Service Based Interface (SBI) to only authorized network functions
3. Enable comprehensive logging and monitoring of all UDR deletion requests, including failed validation attempts
4. Deploy WAF/API gateway rules to validate influenceId parameters and block suspicious deletion patterns
COMPENSATING CONTROLS (until patch available):
5. Implement mutual TLS (mTLS) authentication at the SBI level to prevent unauthenticated access
6. Deploy rate limiting on UDR deletion endpoints to mitigate bulk deletion attacks
7. Implement request signing and validation mechanisms for all SBI communications
8. Maintain offline backups of Traffic Influence Subscriptions configuration
DETECTION RULES:
9. Monitor for DELETE requests to /nudr-dr/v2/subscription-data/*/traffic-influence-subscriptions/* endpoints
10. Alert on 404 responses followed by successful subscription deletions in logs
11. Track unusual patterns of subscription deletions from unexpected source IPs
12. Monitor for requests without proper authentication headers to SBI endpoints
PATCHING:
13. Contact free5GC project for security updates or consider alternative 5G core implementations
14. Evaluate upgrading to patched versions immediately upon availability
15. Implement code review process for custom free5GC modifications to prevent similar issues
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع نشرات خدمة UDR بـ free5GC في شبكة 5G الخاصة بك لتحديد الإصدارات المتأثرة (1.4.2 وما دون)
2. تطبيق تقسيم الشبكة لتقييد الوصول إلى واجهة 5G Service Based (SBI) للوظائف الشبكية المصرح بها فقط
3. تفعيل السجلات الشاملة ومراقبة جميع طلبات حذف UDR، بما في ذلك محاولات التحقق الفاشلة
4. نشر قواعد WAF/بوابة API للتحقق من معاملات influenceId وحظر أنماط الحذف المريبة
الضوابط التعويضية (حتى توفر التصحيح):
5. تطبيق المصادقة المتبادلة TLS (mTLS) على مستوى SBI لمنع الوصول غير المصرح به
6. نشر تحديد معدل على نقاط نهاية حذف UDR للتخفيف من هجمات الحذف الجماعي
7. تطبيق آليات التوقيع والتحقق من الطلبات لجميع اتصالات SBI
8. الحفاظ على نسخ احتياطية غير متصلة من تكوين اشتراكات التأثير على حركة المرور
قواعد الكشف:
9. مراقبة طلبات DELETE إلى نقاط نهاية /nudr-dr/v2/subscription-data/*/traffic-influence-subscriptions/*
10. تنبيه على استجابات 404 متبوعة بحذف اشتراكات ناجح في السجلات
11. تتبع الأنماط غير العادية لحذف الاشتراكات من عناوين IP غير متوقعة
12. مراقبة الطلبات بدون رؤوس مصادقة مناسبة لنقاط نهاية SBI
التصحيح:
13. الاتصال بمشروع free5GC للحصول على تحديثات أمان أو النظر في تطبيقات 5G الأساسية البديلة
14. تقييم الترقية إلى الإصدارات المصححة فوراً عند توفرها
15. تطبيق عملية مراجعة الكود لتعديلات free5GC المخصصة لمنع مشاكل مماثلة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies (authentication bypass)
ECC 2024 A.5.2.1 - User Registration and Access Management
ECC 2024 A.6.1.1 - Information Security Incident Management
ECC 2024 A.8.1.1 - Audit Logging and Monitoring
ECC 2024 A.12.4.1 - Event Logging (deletion events not properly validated)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (5G infrastructure inventory)
SAMA CSF PR.AC-1 - Access Control (authentication and authorization)
SAMA CSF PR.AC-3 - Access Enforcement (SBI access restrictions)
SAMA CSF DE.CM-1 - Detection and Analysis (monitoring UDR operations)
SAMA CSF RS.MI-2 - Incident Response (mitigation of subscription deletions)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - Information Security Policies and Procedures
ISO 27001:2022 A.6.1 - Organizational Controls (access management)
ISO 27001:2022 A.8.1 - Audit and Accountability
ISO 27001:2022 A.8.2 - Information Security Event Management
ISO 27001:2022 A.8.3 - Monitoring and Review of Information Security
🟣 PCI DSS v4.0.1
PCI DSS 3.2.1 - Strong Cryptography (mTLS implementation)
PCI DSS 7.1 - Access Control (restrict SBI access)
PCI DSS 10.1 - Audit Logging (monitor deletion attempts)
PCI DSS 10.3 - Log Protection and Review
📦 Affected Products / CPE 1 entries
free5gc:free5gc