cbcvebase.
CVE-2022-38870
published 2022-10-25

CVE-2022-38870: Free5gc v3.2.1 is vulnerable to Information disclosure.

PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.86%
85.0th percentile
Free5gc v3.2.1 is vulnerable to Information disclosure.

Affected

1 ranges
VendorProductVersion rangeFixed in
free5gcfree5gc

Detection & IOCsextracted from sources · hover to see the quote

urlGET /api/subscriber HTTP/1.1
otherToken: admin
path/api/subscriber
  • Detect unauthenticated GET requests to /api/subscriber with a static 'Token: admin' header returning HTTP 200 with JSON body containing 'plmnID' and 'ueId' fields — indicative of CVE-2022-38870 exploitation against Free5gc 3.2.1.
  • Response body match: look for both '"plmnID":' and '"ueId":' in a JSON response from /api/subscriber to confirm successful information disclosure.
  • Response Content-Type header 'application/json' combined with HTTP 200 status on /api/subscriber confirms the endpoint is exposing subscriber data.
  • Use Shodan queries 'http.title:"free5GC Web Console"' or 'http.title:"free5gc web console"' to identify internet-exposed Free5gc instances potentially vulnerable to this CVE.
  • Use FOFA query 'title="free5gc web console"' or Google dork 'intitle:"free5gc web console"' to identify exposed Free5gc web consoles.
  • ·The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function), meaning the /api/subscriber endpoint requires no valid credentials beyond a static hardcoded 'Token: admin' header value.
  • ·This CVE affects specifically Free5gc version 3.2.1; the vulnerable endpoint is /api/subscriber accessible via the web console interface.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.