Cyber Resilience

CVE-2025-66720

HighPublic PoC

Published: 23 January 2026

Published
23 January 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 8.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66720 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Free5Gc Pcf. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).

Deeper analysis

CVE-2025-66720, published on 2026-01-23, is a null pointer dereference vulnerability (CWE-476) affecting free5gc pcf version 1.4.0. The flaw resides in the file internal/sbi/processor/ampolicy.go within the function HandleDeletePoliciesPolAssoId. free5gc is an open-source implementation of a 5G core network, and pcf refers to its Policy Control Function component. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high availability impact.

An attacker can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low attack complexity. Exploitation triggers a null pointer dereference, causing the PCF service to crash and resulting in a denial-of-service condition that disrupts policy control operations in the 5G core network.

The free5gc project documented the issue in GitHub issue #726 (https://github.com/free5gc/free5gc/issues/726) and addressed it with a patch in pull request #57 of the pcf repository (https://github.com/free5gc/pcf/pull/57). Practitioners running free5gc pcf 1.4.0 should apply the patch or upgrade to a fixed version to mitigate the risk.

EU & UK References

Vulnerability details

Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Null pointer dereference enables remote unauthenticated exploitation to crash the PCF service (Endpoint DoS via application exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1739Same product: Free5Gc Pcf
CVE-2026-41135Same product: Free5Gc Pcf
CVE-2025-69252Same vendor: Free5Gc
CVE-2026-26025Same vendor: Free5Gc
CVE-2026-26024Same vendor: Free5Gc
CVE-2026-33063Same vendor: Free5Gc
CVE-2026-1973Same vendor: Free5Gc
CVE-2026-1976Same vendor: Free5Gc
CVE-2026-44322Same vendor: Free5Gc
CVE-2026-25501Same vendor: Free5Gc

Affected Assets

free5gc
pcf
1.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the null pointer dereference by requiring timely application of the vendor patch or upgrade for free5gc pcf 1.4.0.

prevent

Protects the Policy Control Function against remote unauthenticated denial-of-service attacks that trigger the service crash via network traffic restrictions.

prevent

Ensures robust error handling in the HandleDeletePoliciesPolAssoId function to avoid exploitable crashes from null pointer dereferences.

References