CVE-2025-66720
Published: 23 January 2026
Summary
CVE-2025-66720 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Free5Gc Pcf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).
Deeper analysis
CVE-2025-66720, published on 2026-01-23, is a null pointer dereference vulnerability (CWE-476) affecting free5gc pcf version 1.4.0. The flaw resides in the file internal/sbi/processor/ampolicy.go within the function HandleDeletePoliciesPolAssoId. free5gc is an open-source implementation of a 5G core network, and pcf refers to its Policy Control Function component. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high availability impact.
An attacker can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low attack complexity. Exploitation triggers a null pointer dereference, causing the PCF service to crash and resulting in a denial-of-service condition that disrupts policy control operations in the 5G core network.
The free5gc project documented the issue in GitHub issue #726 (https://github.com/free5gc/free5gc/issues/726) and addressed it with a patch in pull request #57 of the pcf repository (https://github.com/free5gc/pcf/pull/57). Practitioners running free5gc pcf 1.4.0 should apply the patch or upgrade to a fixed version to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4247
Vulnerability details
Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Null pointer dereference enables remote unauthenticated exploitation to crash the PCF service (Endpoint DoS via application exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the null pointer dereference by requiring timely application of the vendor patch or upgrade for free5gc pcf 1.4.0.
Protects the Policy Control Function against remote unauthenticated denial-of-service attacks that trigger the service crash via network traffic restrictions.
Ensures robust error handling in the HandleDeletePoliciesPolAssoId function to avoid exploitable crashes from null pointer dereferences.