Cyber Resilience

CVE-2026-37235

HighPublic PoC

Published: 01 June 2026

Published
01 June 2026
Modified
03 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0040 31.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37235 is a high-severity Improper Access Control (CWE-284) vulnerability in Mosaic5G Flexric. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp…

more

by specifying their xapp_id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated impersonation via unvalidated xapp_id in E42 messages directly enables exploitation of the public-facing iApp service on port 36422.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-37229Same product: Mosaic5G Flexric
CVE-2026-37228Same product: Mosaic5G Flexric
CVE-2026-37230Same product: Mosaic5G Flexric
CVE-2026-37226Same product: Mosaic5G Flexric
CVE-2026-37234Same product: Mosaic5G Flexric
CVE-2026-37231Same product: Mosaic5G Flexric
CVE-2026-37233Same product: Mosaic5G Flexric
CVE-2026-23899Shared CWE-284
CVE-2026-31843Shared CWE-284
CVE-2025-50105Shared CWE-284

Affected Assets

mosaic5g
flexric
2.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284

The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.

addresses: CWE-284

Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.

addresses: CWE-284

Supervision and review of access control activities directly detects and remediates improper access configurations or usages.

addresses: CWE-284

Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.

addresses: CWE-284

By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.

addresses: CWE-284

Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.

addresses: CWE-284

Requiring prior authorization for each remote access type prevents improper access control over remote connections.

addresses: CWE-284

Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.

References