The vulnerability arises from the OpenAirInterface v2.2.0 AMF's handling of registration messages. When out-of-sequence messages are received, the AMF performs an incorrect state transition during the UE registration procedure, allowing an attacker to bypass authentication entirely. An attacker who can craft or replay messages such as SecurityModeComplete after an InitialUERegistration can force the AMF to send a RegistrationReject followed by a RegistrationAccept, thereby inserting a UE into the network as if it had successfully authenticated. This bypass permits unauthorized network access, potentially compromising confidentiality, integrity, and availability for any services relying on proper UE authentication.

The issue is contained in the OpenAirInterface CN5G AMF component, specifically version 2.2.0. Systems running this version of the AMF, distributed by OpenAirInterface, are vulnerable. There are no vendor-specific updates or workarounds listed; the affected product is identified by thePE cpe:2.3:a:openairinterface:oai-cn5g-amf:2.2.0. Systems that rely on this software for 5G core network management should review their deployment to determine if they are impacted.

The CVSS score of 9.8 indicates critical severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild, though no prior exploits have been reported and the vulnerability is not in the KEV list. The likely attack vector involves network-bound orchestration: an adversary can send crafted UE registration traffic to the AMF to trigger the out-of-sequence handling flaw. Since the bypass requires no prior authentication, the risk is high for any operator hosting unpatched AMF instances. As the issue arises during a routine registration flow, attackers with network visibility into the 5G core can relatively easily craft and send the required messages.