CVE-2026-37235: FlexRIC E42 Message Authentication Bypass – RIC Denial of Service
FlexRIC v2.0.0 contains a critical authentication bypass flaw in its E42 message handler. An attacker on the network can forge requests claiming to be any authorized xApp (a RIC application component) without proving their identity. The system validates only that the claimed xApp ID falls within a valid range, but does not verify that the request actually originated from that xApp. By sending a malicious request with a spoofed xApp ID to the iApp service on port 36422, an attacker can trick the RIC into routing responses to a legitimate xApp, corrupting its internal state and potentially crashing it, the RIC itself, or the iApp.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-284
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xapp_id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper input validation in FlexRIC's E42 message processing logic. The valid_xapp_id() function performs only a range check on the xapp_id field extracted from incoming E42 payloads, without binding that identifier to the SCTP association over which the message arrived. An unauthenticated remote attacker can send a crafted E42 message to the iApp listening on port 36422, specifying an arbitrary xapp_id value. The iApp then routes responses to the victim xApp based on this untrusted identifier, leading to message misrouting. The victim xApp receives responses it did not request, causing state machine violations in the red-black tree data structure used internally, ultimately leading to denial of service through crash or resource exhaustion.
Business impact
RIC deployments using FlexRIC v2.0.0 face denial of service risk to their xApp ecosystem and core RIC infrastructure. An attacker with network access to the iApp port can selectively disrupt or crash critical xApps without authentication, potentially affecting radio resource management, network optimization, or other real-time RAN intelligence functions. If the RIC itself or the iApp crashes, the entire intelligent RAN control plane becomes unavailable until recovery, causing loss of dynamic network optimization and monitoring capabilities. This impacts service quality for radio access networks relying on automated RIC-driven decisions.
Affected systems
The vulnerability affects FlexRIC v2.0.0 from mosaic5g. Organizations running this version should assume their systems are at risk if the iApp service (port 36422) is reachable from untrusted network segments. Verify your FlexRIC deployment version against the product documentation. Later versions may contain fixes; consult the mosaic5g security advisories for confirmation of patched releases.
Exploitability
Exploitability is high. The attack requires only network access to port 36422; no authentication, credentials, or user interaction are needed. The valid_xapp_id() check is trivial to bypass—an attacker simply needs to discover or guess a valid xApp ID from the assigned range (which may be deterministic or easily enumerated). The CVSS 3.1 score of 7.5 (HIGH) reflects these factors: network-based attack vector, low attack complexity, no privileges required, no user interaction, and high availability impact with no confidentiality or integrity compromise.
Remediation
Upgrade FlexRIC to a patched version that implements sender association binding. The fix must validate that the xapp_id in an E42 message matches the xApp actually connected over the SCTP association carrying that message, not just that the ID falls within a valid range. Until patching is possible, implement network controls: restrict access to port 36422 to only trusted xApp endpoints, use firewall rules to isolate the iApp from untrusted network segments, and monitor for unexpected xApp connections or misrouted messages.
Patch guidance
Contact mosaic5g or consult the official FlexRIC security advisories to identify the minimum patched version addressing CVE-2026-37235. Test the patched release in a non-production RIC environment to ensure compatibility with your xApp topology and RIC configuration before deploying to production. Verify that the patch implements cryptographic or association-level binding of xapp_id to the sender's SCTP connection, not merely a different range check.
Detection guidance
Monitor iApp logs and packet captures for E42 messages with xapp_id values that do not correspond to known connected xApps. Track SCTP association state and flag any xapp_id in an incoming message that mismatches the SCTP peer address. Watch for unexplained xApp crashes or state machine errors in the red-black tree (consult RIC logs for data structure corruption warnings). Consider deploying network intrusion detection signatures that identify forged E42 messages by correlating xapp_id values with actual SCTP peer identities.
Why prioritize this
Despite not appearing on the CISA KEV catalog, this vulnerability merits immediate attention because it enables unauthenticated network-based denial of service to critical RAN intelligence infrastructure with minimal attack effort. RIC systems are central to modern mobile network automation; their compromise affects radio access quality across multiple services. The lack of authentication and the trivial complexity of the exploit offset the fact that impact is limited to availability (no data exfiltration). Organizations operating production RICs should treat this as urgent.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) correctly reflects a remotely exploitable vulnerability with no authentication or user interaction barriers. The vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H captures: network-wide attack surface, straightforward exploitation, and severe availability impact. The absence of confidentiality and integrity compromise prevents a CRITICAL rating, but the ease of exploitation and impact on infrastructure availability justify HIGH priority in a RIC deployment context.
Frequently asked questions
Do I need credentials or prior network compromise to exploit this vulnerability?
No. The vulnerability requires only network-level access to port 36422. An unauthenticated attacker from any network segment that can reach the iApp can send a crafted E42 message. No credentials, account compromise, or prior foothold is necessary.
How do I know if my xApp or RIC has been targeted?
Monitor xApp logs for unexpected state machine errors, red-black tree corruption warnings, or crashes without a clear cause. In RIC logs, look for misrouted messages or xapp_id values that do not match the SCTP peer sending them. Packet captures of port 36422 traffic should show whether E42 messages are arriving from unexpected sources.
Can this vulnerability be exploited to steal data or manipulate network configuration?
No. The vulnerability only causes denial of service by crashing xApps or the RIC. It does not enable confidentiality or integrity attacks. An attacker cannot read sensitive data, modify RAN policies, or persist a compromise; they can only disrupt availability until the xApp or RIC recovers.
What is the xapp_id and where can I find the valid range for my RIC?
The xapp_id is a numeric identifier assigned to each xApp (RIC application) running in your RIC cluster. The valid range is deployment-specific and typically defined in your RIC configuration files or mosaic5g documentation. Enumerating this range is trivial, which is why network segmentation is a critical interim control.
This analysis is based on the published CVE record and mosaic5g vendor data as of the modification date (2026-06-17). Patch availability, exploitation activity, and vendor guidance may have evolved; verify current status with mosaic5g official channels before making deployment decisions. SEC.co does not provide exploit code or weaponization instructions. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities catalog; however, public disclosure may accelerate exploitation development. Organizations should prioritize patching and network controls based on their RIC exposure and risk tolerance, not solely on KEV status. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-22426HIGHAndroid ComputerEngine URI Escalation Privilege Vulnerability
- CVE-2026-32995HIGHRocket.Chat DDP Authentication Bypass Exposes All Private Messages
- CVE-2026-35277HIGHOracle REST Data Services Authorization Bypass
- CVE-2026-40715HIGHDell ThinOS 10 Privilege Escalation Vulnerability
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation