📄 Description (English)
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription data is returned alongside the 404 response. An unauthenticated attacker with access to the 5G Service Based Interface can read arbitrary Traffic Influence Subscriptions, including SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs, by supplying any value for the influenceId path segment. A patched version was not available at the time of publication.
🤖 AI Executive Summary
CVE-2026-40247 is a critical authentication bypass vulnerability in free5GC UDR service (versions 4.2.1 and below) that allows unauthenticated attackers to read arbitrary Traffic Influence Subscriptions including sensitive subscriber identifiers (SUPIs/IMSIs), network slices, and callback URIs. The vulnerability exists due to improper HTTP response handling where the application continues execution after sending a 404 response, leaking subscription data. With no patch available and active exploits likely, this poses immediate risk to 5G core network deployments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 2, 2026 21:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability directly impacts Saudi telecommunications operators (STC, Mobily, Zain) deploying free5GC-based 5G core networks. The exposure of SUPIs/IMSIs and subscriber network slice information (S-NSSAIs) enables subscriber tracking, service interception, and targeted attacks on enterprise 5G services. Government and critical infrastructure sectors (ARAMCO, healthcare, financial services) relying on private 5G networks are at severe risk. CITC-regulated telecom operators face compliance violations under SAMA CSF and NCA ECC frameworks. The lack of available patches creates an extended vulnerability window requiring immediate compensating controls.
🏢 Affected Saudi Sectors
Telecommunications (STC, Mobily, Zain, Etihad Etisalat)
Government (CITC, NCA, Ministry of Interior)
Energy (Saudi Aramco, SEC)
Banking and Financial Services (SAMA-regulated institutions)
Healthcare (MOH, private hospitals with 5G networks)
Critical Infrastructure (ports, airports, utilities)
Enterprise/Private 5G Networks
🎯 MITRE ATT&CK Techniques
T1589.001 - Gather Victim Identity Information: Collection of SUPIs/IMSIs
T1526 - Enumerate Cloud Resources: Discovery of 5G network configuration and subscribers
T1087.004 - Account Discovery: Enumeration of subscriber accounts via subscription data
T1040 - Traffic Capture: Interception of unencrypted subscription data
T1190 - Exploit Public-Facing Application: Exploitation of unauthenticated SBI endpoint
T1556 - Modify Authentication Process: Bypass of authentication mechanisms
T1530 - Data from Cloud Storage: Unauthorized access to subscription database
T1021.001 - Remote Services: Lateral movement within 5G core network using exposed credentials
⚖️ Saudi Risk Score (AI)
8.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all free5GC UDR service instances in production (versions 4.2.1 and below) across your 5G infrastructure
2. Implement network segmentation: restrict access to UDR Service Based Interface (SBI) to authenticated NF consumers only using firewall rules and mTLS enforcement
3. Enable comprehensive logging and monitoring of all UDR API requests, specifically /nudr-dr/v2/subscription-data/traffic-influence-subscriptions endpoints
4. Deploy Web Application Firewall (WAF) rules to detect and block requests with suspicious influenceId parameters
COMPENSATING CONTROLS (until patch available):
5. Implement strict mutual TLS (mTLS) authentication for all SBI communications - reject any unauthenticated requests at ingress
6. Deploy API gateway with request validation to enforce influenceId format validation and return immediately after 404 responses
7. Implement rate limiting and anomaly detection on subscription data queries
8. Encrypt all subscription data at rest and in transit using AES-256
DETECTION RULES:
- Alert on any HTTP 404 responses from /nudr-dr/v2/subscription-data/traffic-influence-subscriptions followed by 200 responses
- Monitor for requests with influenceId values not matching expected format (should only be 'subs-to-notify')
- Track unauthorized access attempts to UDR endpoints from non-authenticated sources
- Flag bulk subscription data queries or unusual access patterns
PATCHING STRATEGY:
9. Monitor free5GC GitHub repository and official channels for security patches
10. Prepare isolated test environment to validate patches immediately upon release
11. Develop rollback procedures for emergency patching
12. Consider migration to alternative 5G core implementations if patches remain unavailable beyond 30 days
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع مثيلات خدمة free5GC UDR في الإنتاج (الإصدارات 4.2.1 وأقل) عبر بنية 5G الخاصة بك
2. تنفيذ تقسيم الشبكة: تقييد الوصول إلى واجهة SBI لخدمة UDR للمستهلكين المصرح لهم فقط باستخدام قواعد جدار الحماية وفرض mTLS
3. تفعيل السجلات الشاملة ومراقبة جميع طلبات API لـ UDR، خاصة نقاط نهاية /nudr-dr/v2/subscription-data/traffic-influence-subscriptions
4. نشر قواعد جدار تطبيقات الويب (WAF) للكشف عن طلبات influenceId المريبة وحجبها
الضوابط التعويضية (حتى توفر التصحيح):
5. تنفيذ مصادقة TLS المتبادلة الصارمة (mTLS) لجميع اتصالات SBI - رفض أي طلبات غير مصرح بها عند الدخول
6. نشر بوابة API مع التحقق من الطلبات لفرض التحقق من صيغة influenceId والعودة فوراً بعد استجابات 404
7. تنفيذ تحديد معدل الطلبات والكشف عن الشذوذ في استعلامات بيانات الاشتراك
8. تشفير جميع بيانات الاشتراك في الراحة والنقل باستخدام AES-256
قواعد الكشف:
- تنبيه على أي استجابات HTTP 404 من /nudr-dr/v2/subscription-data/traffic-influence-subscriptions متبوعة باستجابات 200
- مراقبة الطلبات بقيم influenceId غير متطابقة مع الصيغة المتوقعة (يجب أن تكون فقط 'subs-to-notify')
- تتبع محاولات الوصول غير المصرح بها إلى نقاط نهاية UDR من مصادر غير مصرح بها
- وضع علامة على استعلامات بيانات الاشتراك الضخمة أو أنماط الوصول غير المعتادة
استراتيجية التصحيح:
9. مراقبة مستودع free5GC على GitHub والقنوات الرسمية للتصحيحات الأمنية
10. تحضير بيئة اختبار معزولة للتحقق من صحة التصحيحات فوراً عند الإصدار
11. تطوير إجراءات التراجع للتصحيح الطارئ
12. النظر في الهجرة إلى تطبيقات 5G الأساسية البديلة إذا ظلت التصحيحات غير متاحة لأكثر من 30 يوماً
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control: Unauthenticated access to subscriber data violates access control requirements
ECC 2024 A.5.2.1 - User Authentication: Lack of authentication enforcement on SBI endpoints
ECC 2024 A.5.3.1 - Access Rights: Unauthorized disclosure of subscriber identifiers and network configuration
ECC 2024 A.6.1.2 - Cryptography: Unencrypted transmission of sensitive subscription data
ECC 2024 A.7.1.1 - Event Logging: Insufficient logging of unauthorized access attempts
🔵 SAMA CSF
SAMA CSF ID.AM-1: Asset Management - Unpatched 5G core components create unmanaged security risks
SAMA CSF PR.AC-1: Access Control - Authentication bypass enables unauthorized data access
SAMA CSF PR.DS-1: Data Security - Subscriber data exposure violates confidentiality requirements
SAMA CSF DE.AE-1: Anomalies and Events - Lack of detection mechanisms for exploitation attempts
SAMA CSF RS.MI-1: Mitigation - No patch availability extends incident response timeline
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - User Access Management: Inadequate authentication controls
ISO 27001:2022 A.5.3 - Access Control: Unauthorized access to subscriber information
ISO 27001:2022 A.8.1 - Cryptography: Unencrypted sensitive data transmission
ISO 27001:2022 A.8.3 - Cryptographic Key Management: Lack of encryption for subscription data
ISO 27001:2022 A.12.4 - Logging: Insufficient audit trails for access attempts
🟣 PCI DSS v4.0.1
PCI DSS 1.2.1 - Network Segmentation: SBI endpoints must be restricted to authorized NFs only
PCI DSS 2.1 - Default Security Parameters: Unauthenticated access violates secure defaults
PCI DSS 6.2 - Security Patches: Unpatched vulnerability requires immediate compensating controls
PCI DSS 7.1 - Access Control: Subscriber data access must be restricted to authorized personnel
📦 Affected Products / CPE 1 entries
free5gc:free5gc