EXECUTIVE SUMMARY:
HPE Aruba Networking has released security updates to address multiple critical vulnerabilities in its Private 5G Core platform affecting versions 1.24.3.0 through 1.24.3.3. The issues, discovered by researchers, expose core components of private 5G deployments to authentication bypass, service disruption, and sensitive information disclosure. The most severe flaw enables an unauthenticated remote attacker to create a new administrative account through the application API, granting full control over system configurations and access to sensitive network data. Additional vulnerabilities allow attackers to trigger service restarts through the management API, potentially causing denial-of-service conditions and impacting network availability. Two other flaws expose internal details such as user accounts, assigned roles, and configuration data, which could aid further compromise when chained with other weaknesses. Successful exploitation of these issues could result in unauthorized administrative access, operational disruption, and data exposure within private 5G environments. The vendor has addressed the vulnerabilities in a newer software release and recommends upgrading affected deployments to mitigate the risk of exploitation.
These vulnerabilities expose private 5G core environments to unauthorized access, service disruption, and sensitive data exposure. Applying the updated software version is essential to prevent potential compromise of critical network infrastructure.
RECOMMENDATION:
We strongly recommend update HPE Aruba Networking Private 5G Core 1.25.1.0 and above.
REFERENCES:
The following reports contain further technical details: