CVE-2024-34235

HighPublic PoC

Published: 22 January 2025

Published

22 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0040 60.7th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34235 is a high-severity Reachable Assertion (CWE-617) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 39.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates malformed ASN.1 packets over the S1AP interface to ensure required fields like NAS_PDU are present, preventing assertion failures and MME crashes.

SC-5 Denial-of-service Protection good match

preventdetect

Protects against denial-of-service from repeated Initial UE Messages lacking NAS_PDU by implementing rate limiting and traffic safeguards on the S1AP interface.

SI-2 Flaw Remediation good match

prevent

Remediates the reachable assertion flaw in Open5GS MME versions <=2.6.4 through timely patching as outlined in the vulnerability advisory.

NVD Description

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `Initial UE Message` missing a required `NAS_PDU` field to repeatedly crash the MME,…

resulting in denial of service.

Deeper analysisAI

CVE-2024-34235 affects Open5GS Mobility Management Entity (MME) versions up to and including 2.6.4. The vulnerability stems from an assertion failure that can be remotely triggered by a malformed ASN.1 packet transmitted over the S1AP interface. Specifically, an attacker can send an Initial UE Message lacking the required NAS_PDU field, causing the MME to crash and resulting in a denial-of-service condition. This issue is classified under CWE-617 (Reachable Assertion) and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

Any remote attacker can exploit this vulnerability without authentication or privileges, as it requires only network access and low complexity to craft and send the malformed packet. By repeatedly transmitting the Initial UE Message without the NAS_PDU field, the attacker can crash the MME process multiple times, leading to sustained denial of service that disrupts core network functions reliant on the MME, such as UE attachment and mobility management. The changed scope (S:C) amplifies the impact across the system's availability.

Mitigation details and patches are outlined in the advisory available at https://cellularsecurity.org/ransacked. Security practitioners should consult this reference for upgrade guidance and workarounds to address the vulnerability in affected Open5GS deployments.

Details

CWE(s): CWE-617

Affected Products

open5gs

≤ 2.6.4

CVEs Like This One

CVE-2025-15530Same product: Open5Gs Open5Gs

CVE-2024-24428Same product: Open5Gs Open5Gs

CVE-2026-2523Same product: Open5Gs Open5Gs

CVE-2024-24430Same product: Open5Gs Open5Gs

CVE-2024-24427Same product: Open5Gs Open5Gs

CVE-2024-24429Same product: Open5Gs Open5Gs

CVE-2023-37018Same product: Open5Gs Open5Gs

CVE-2023-37019Same product: Open5Gs Open5Gs

CVE-2023-37021Same product: Open5Gs Open5Gs

CVE-2023-37017Same product: Open5Gs Open5Gs

References

https://cellularsecurity.org/ransacked
Exploit, Technical Description, Third Party Advisory · cve@mitre.org