Investigating Security Vulnerabilities in 5G Control and User Planes: Attack Patterns and Protection Strategies

Abstract

The rollout of 5G Standalone networks introduces unprecedented flexibility and performance through service-based architecture (SBA), virtualization, open APIs, and network slicing, while simultaneously expanding the attack surface across control, user, and cross-plane interfaces. This article provides a systematic, vulnerability-prioritized, selective characterization of the current state of weaknesses specific to the 5G control and user planes and transparent risk scoring. Using a PRISMA-aligned methodology, vulnerabilities are mapped explicitly to 3GPP network functions and interfaces (e.g., AMF, SMF, UPF; N2, N4, SBA APIs) and categorized by operational evidence level ranging from theoretical analysis to documented live-network exploitation. A normalized criticality scoring model integrates likelihood, impact, exploitability, and CVSS-derived severity. The analysis shows that control-plane signaling floods, PFCP misuse, and container escapes stand out as the most pressing risks. It also exposes how little attention has been given to securing the user plane and strengthening slice isolation. The paper wraps up with clear, evidence-based hardening priorities for each plane, along with research areas that matter for today’s 5G networks and the shift toward 6G.

1. Introduction

The deployment of fifth-generation (5G) mobile networks represents a fundamental architectural shift from previous cellular generations. Core network functions are decomposed into service-based components, implemented predominantly as cloud-native network functions (CNFs), and interconnected via open APIs. While these design choices enable scalability, flexibility, and rapid service innovation, they also expand the attack surface and introduce new categories of vulnerabilities that differ materially from those observed in legacy LTE networks.

Recent research has examined individual aspects of 5G security, including authentication protocol weaknesses, container and supply-chain risks, and the application of machine learning to intrusion detection. However, many existing surveys either aggregate threats broadly across the entire 5G stack or focus on isolated mechanisms without explicitly linking vulnerabilities to architectural elements or operational risk. As a result, practitioners lack a clear, evidence-based prioritization of threats across the control and user planes.

This work addresses that gap by providing a selective, vulnerability-prioritized review of security weaknesses specific to the 5G control and user planes. The contributions of this paper are threefold. First, vulnerabilities are systematically mapped to 3GPP-defined network functions and interfaces, enabling architectural traceability. Second, threats are prioritized using a normalized criticality scoring model that integrates exploit likelihood, impact, and empirical evidence. Third, the analysis distinguishes between legacy threats that persist in 5G and vulnerabilities that are native to service-based, virtualized architectures, thereby informing both near-term hardening and longer-term research directions.

Recent studies in 5G security address dynamic network slicing security [1], machine learning for attack detection [2], and real-world exploit demonstrations in operator networks [2,3]. The unique challenges of securing programmable, virtualized, and disaggregated architectures are pervasive themes, with much attention focused on supply chain risk in CNFs [4,5], protocol integrity [6,7], and adaptive, AI-driven defense frameworks. Compared to our work, these studies often focus on individual mechanisms or specific attacks, whereas we synthesize cross-sectional vulnerabilities and map them against mitigations and research gaps identified by the top venues. This paper advances the ongoing discussion of 5G security with a dual focus and clear, actionable objectives:

• Vulnerability Analysis: We systematically categorize reported vulnerabilities specific to 5G networks, providing a detailed understanding of the associated risks and threats. These vulnerabilities are selectively characterized to facilitate actionable mitigation strategies.
• Mitigation Strategy: We propose a set of practical, deployable security controls and countermeasures designed to effectively mitigate the identified risks.

1.1. Scope and Contribution

This article functions as a vulnerability-prioritized survey and perspective paper. While recent studies in 5G security have addressed dynamic network slicing [8], machine learning for attack detection [2], and specific supply chain risks [4,5], the existing literature often focuses on individual mechanisms in isolation. Unlike previous surveys that focus broadly on 5G threats, this work specifically synthesizes cross-sectional vulnerabilities within the Control and User Planes. We advance the ongoing discussion by:

• Systematic Mapping: We map vulnerabilities directly to the architectural elements defined in the 5G SBA (Figure 1 and

  Table A1. Core 5G Architectural Elements and Associated Security Roles/Attack Surfaces.

  Plane/Layer	Element (Acronym)	Description/Primary Role	Security Context/Attack Surface Focus
  Common Data Layer	UDR (Unified Data Repository)	Storage for data shared among network functions	Confidentiality/Integrity (Target for data exfiltration; repository for subscriber data)
  	USDF (Unstructured Data Storage Function)	Stores non-standardized, unstructured data	Data Integrity/Availability (Target for tampering with non-standardized data sets)
  Control Plane	AUSF (Authentication Server Function)	Handles authentication and security procedures	Authentication Bypass (Primary target for identity spoofing and unauthorized access)
  	AMF (Access and Mobility Management Function)	Manages access control and mobility procedures.	Denial of Service (DoS) (Target for disrupting connection/mobility management, location tracking)
  	UDM (Unified Data Management function	Stores/retrieves subscriptions, profiles, and authentication data.	Confidentiality/Privacy (Manages sensitive subscriber/profile data)
  	SMF (Session Management Function)	Establishes and manages sessions for all access types.	Session Hijacking/DoS (Target for disrupting session setup, policy enforcement, and charging)
  	PCF (Policy Control Function)	Supports unified policy structure; provides policy rules to control plane functions.	Policy Manipulation (Target for altering network behavior, Quality of Service (QoS), or charging rules)
  	NEF (Network Exposure Function)	Securely exposes capabilities and events to third-party applications	API/Exposure Attacks (Gateway for external threats, focusing on secure API design and rate limits)
  	NSSF (Network Slice Selection Function)	Determines network slices serving the User Equipment (UE)	Slice Isolation Compromise (Target for crossing boundaries between tenants/service types)
  User Plane	UPF (User Plane Function)	Responsible for packet routing, forwarding, and inspection	DDoS/Traffic Injection (Primary target for overwhelming the user plane, man-in-the-middle attacks on traffic)
  Access/Endpoints	UE (User Equipment)	The end-user device (e.g., smartphone or IoT device)	Device/Endpoint Compromise (Source or victim of attacks; supply chain/firmware vulnerabilities)
  	NG-RAN (Next Generation Radio Access Network)	Handles radio communication with the UE	Radio Interface Attacks (Physical layer threats, jamming, cell-site spoofing)
  Non-service-based Pieces	3rd Party Apps: External applications that can interact with the 5G core network through the NEF
  	Roaming Partners: Represents other network operators for roaming scenarios
  	DN (Data Network): Represents the external data network, such as the Internet

  ).
• Vulnerability Prioritization: We characterize threats based on their interaction with legacy vs. 5G-native interfaces (e.g., N2, N4).
• Actionable Mitigation: We propose a defense framework (

  Table A2. Classification of 5G Vulnerability Mitigation Strategies.

  Mitigation Domain	Mitigation Strategy	Vulnerability Cause/Context	Goal/Specific Action
  Identity and Data	Robust Encryption and Authentication	Complexity of protocols and network layers, leading to misconfiguration or weak points	Implement strong Post-Quantum Cryptography and Multi-Factor Authentication (MFA) protocols to protect data and access
  Architecture	Secure Network Architecture	Increased attack surface, reliance on legacy infrastructure, supply chain weaknesses, and misconfiguration	Segregate critical Network Components (NFs) and implement hardened firewalls and access control policies (e.g., Zero Trust principles)
  Operations	Continuous Monitoring and Threat Intelligence	Cost and complexity of security tools, integration challenges, alert fatigue, and lack of awareness	Employ advanced monitoring tools (SIEM, SOAR) and techniques for real-time visibility and proactive threat hunting
  Personnel	Education and Awareness	Rapid technological evolution, technical complexity, and focus on functionality over security	Educate network operators, service providers, and end-users on security best practices, emerging threats, and secure coding
  Governance	Collaboration and Cooperation	Competition, lack of trust and transparency, and short-term priority focus across global stakeholders	Foster open collaboration between stakeholders (vendors, operators, regulators) to share threat data and security best practices
  Supply Chain	Supply Chain Transparency and Control	Vulnerabilities in network equipment or software from any vendor can compromise the entire network	Mandate rigorous vetting and security testing of all supply chain components and promote transparency among all stakeholders
  Foundational	Strong Cyber Hygiene	Lack of a strong basis for more sophisticated security measures, leading to easy initial access for attackers	Enforce baseline policies like patch management, strong password enforcement, and regular audits to reduce attack vulnerabilities and improve visibility

  ) that connects high-level strategies to specific root causes.

By offering a path from comprehensive analysis to actionable recommendations, this article directly contributes to the development of more resilient 5G networks, ensuring that the full benefits of this technology are realized without compromising user protection or data security against evolving threats.

1.2. Related Work and Analytical Positioning

Research into 5G network security has been the focus of several studies in recent times [8,9,10]. The majority of network slicing security surveys focus primarily on isolating techniques [11]. Investigations at the authentication protocol level reveal vulnerabilities in 5G-AKA authentication [11]. Most machine learning for intrusion detection studies concentrate on the techniques used in the algorithms rather than the various categories of computer vulnerabilities [2]. Mainly, reviews on containerization and supply chain security focus on building a software pipeline [4,5,12]. It stands out from other studies by:

• Organizing defenses by plane: In the threat-type model, we organize by threat, but in this methodology, we group together services by plane (user, control, and cross plane) to allow the defense to be prioritized by network segment.
• The likelihood, impact, and exploitability of the vulnerabilities are assessed using a semi-quantitative method to determine their criticality.
• Conducting a gap analysis between standards and practice: We have mapped the vulnerabilities found against the 3GPP technical standards and have identified areas where these standards do not cover the vulnerabilities we have found.
• Actionable: The system includes a consolidated defense matrix. This is a framework in which each class of possible vulnerability in a network is connected to specific counter-measures and the quantifiable performance trade-offs of these counter-measures.
• Unlike previous security solutions designed with legacy 4G in mind, this research focuses on 5G native threats that will also persist into 6G systems.

2. Methodology

To ensure a comprehensive and vulnerability-prioritized characterization of 5G security, we employed a structured literature review process focusing on developments from the last five years.

2.1. Search Strategy and Systematic Literature Review Protocol

To thoroughly characterize the security of 5G, a structured analysis of the literature was undertaken, which prioritized vulnerabilities, in accordance with PRISMA guidelines. This review encompassed research from the time period 2020 to 2025.

Search Scope and Databases: The following academic databases were accessed in order to find relevant literature on the subject: IEEE Xplore, ACM Digital Library, SpringerLink, and Google Scholar. Several databases contain data on mobile industry vulnerabilities, including NIST’s National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures (CVE) list. The GSMA Intelligence research division also provides in-depth analysis on security threats and trends affecting the mobile industry. The 3GPP security specifications include the technical specifications TS 33 series. These security specifications cover various security features. In addition to the TS 33 series, the 3GPP also issues security advisories. These advisories deal with newly discovered security vulnerabilities. They are issued as soon as possible after the discovery of the vulnerability. Further, a few other security-related papers from various sources are referenced, including NDSS, IEEE S&P, and CCS conferences, and research papers from Ericsson, Nokia, and Samsung.

Search Keywords and Strategy: Using keyword combinations in a Boolean search across categories of publication type, year of publication, and language allowed us to identify relevant documents.

• 5G Architecture: “5G”, “service-based architecture”, “SBA”, “network function”, “NFV”;
• Planes: “control plane”, “user plane”, “data plane”, “signaling”, “GTP”, “N2 interface”, “N4 interface”;
• Threats: “vulnerability”, “attack”, “DDoS”, “PFCP”, “network slicing”, “container escape”, “radio access”, “spectrum”.

Search strings combined architectural terms (e.g., “5G”, “service-based architecture”, “network function”), plane-specific keywords (“control plane”, “user plane”, “N2”, “N4”, “GTP-U”), and threat descriptors (“vulnerability”, “attack”, “DDoS”, “PFCP”, “container escape”). Example queries included: (“5G” AND “control plane” AND “vulnerability”) and (“5G” AND “PFCP” AND “attack”). Final search strings and database-specific results are provided in Appendix A.

Example queries: (“5G” AND (“control plane” OR “N2 interface”) AND (“vulnerability” OR “attack”)); (“5G” AND “network slicing” AND (“isolation” OR “breach”)); (“5G” AND “PFCP” AND “attack”).

2.2. Search Inclusion and Exclusion Criteria

The research included studies which appeared between 2020 and 2025. The research included only those sources which studied 5G architecture vulnerabilities that impact Standalone deployment systems. The researchers studied Legacy LTE threats because 5G introduced SBA and virtualization and slicing technology, which transformed how attackers could access and exploit network systems. The research team omitted studies which did not prove wireless security architectural value or studied only RF physical layer performance or lacked vital technical details.

Sources were prioritized based on two criteria: (1) Relevance to the separation of Control and User planes, and (2) Validation status (favoring threats validated in testbeds or commercial environments over purely theoretical exploits). We excluded general wireless sensor network security papers that did not address 5G-specific architectural elements. The details are as follows:

Sources were included if they: (i) address vulnerabilities/attacks specific to 5G architecture (not 4G/LTE); (ii) describe either: (a) implementation-validated threats (tested in testbeds or commercial networks), or (b) theoretical vulnerabilities with clear exploitation pathways; and if (iii) each option can be represented as a separate class, e.g., ServiceBasedInterface, CrossPlaneElement, GtpuUserPlane; N2 and N4 can be combined into a class, and here is also the possibility of just having two classes, UserPlane and ControlPlane, with a third class for the elements that span planes; and (iv) were published etween the years of 2020 and 2025; priority will be given to research focusing on 5G Stand Alone and not 5G Non-Standalone networks.

Exclusion Criteria: Sources were excluded if they: (i) address general wireless/cellular security without 5G specificity; (ii) describe purely theoretical attacks with no exploitation methodology; (iii) focus exclusively on the radio frequency (RF) physical layer without architectural relevance; (iv) are white papers lacking peer review or academic rigor; and (v) duplicate earlier findings without novel insights.

2.3. Vulnerability Mapping and Taxonomy Development

The mapping of the system to potential threats and weaknesses involved a multi-stage process, which was as follows:

Stage 1: Architectural Classification—The identified vulnerabilities were grouped according to the primary system they affect, that is, their attack surface.

• Control Plane: gNB-AMF, SMF-UPF, AMF, N3, N4, N2, AUSF, AF, HSS, service-based interfaces, SBA APIs, N6, N7;
• User Plane: GTP-U (tunnel encapsulation), UPF data forwarding, inter-slice traffic;
• Cross-Plane: Network slicing isolation, shared resource contention, physical layer interference for the elements which span planes.

Stage 2: Criticality Assessment—The ratings of potential vulnerabilities were given using a semi-quantitative scoring system that combines implementation evidence and impact on operator environments. Risk score R is defined as follows:

R = (probability of an exploit × impact of an exploit × likelihood of an exploit) + CVSS score of the weakness.

Here, probability captures whether a practical exploit exists (proof of concept or test cases observed in real operation), impact reflects the expected business and technical damage (e.g., significant loss of company confidence and adverse business impact due to theft of sensitive customer details), and likelihood captures real-world frequency of occurrence.

These threats are categorized as critical if $R\ge 0.7$, high if $0.5\le R<0.69$, medium if $0.3\le R<0.49$, and low if $R<0.3$. A summarized application of this scoring framework to the main vulnerability classes is presented in Section 4.9, where we classify the most representative threats as critical, high-, medium-, or low-risk based on publicly reported CVEs, operator reports, and others’ testbed results.

Stage 3: Standards Gap Analysis—For each identified vulnerability, we checked the relevant 3GPP security standards to see if the problem is mentioned and how it should be addressed in the 3GPP security standards for 5G systems (TS 33 series with a particular focus on TS 33.501). We then reviewed the available literature in the field to determine which attacks were most likely to occur. In total, we focused on three questions for each threat class:

• Is this threat explicitly addressed in 3GPP TS 33.501 (5G Security Architecture) or related TS 33 series specifications (for example, TS 33.117, TS 33.210, TS 33.511). Further, 5G-Sec-Req-024 states that “The architecture shall provide a means to detect and prevent or at least limit the damage resulting from the threat that an attacker may impersonate a trusted entity”. The correct approach to vulnerability management differentiates between vulnerabilities caused by incomplete standards and those brought about by a weak operational practice or a sub-par implementation.
• Is the mitigation strategy already mandated in standards or only recommended in normative and non-normative text (e.g., “shall” vs. “should/may”) or in 3GPP/GSMA security advisories? For each vulnerability, controls such as mutual authentication on N2/N4, integrity protection of control plane signaling, container hardening, and PFCP security profiles were mapped to their status in TS 33.501 and related documents.
• Are there implementation gaps between standards and deployed networks (e.g., optional features rarely enabled, partial control plane protection, or incomplete slice isolation)? This assessment used publicly reported CVEs, operator reports, and GSMA security guidance (e.g., FS.32) to identify where standards-compliant configurations are not consistently realized in commercial cores.

The outcome of this Stage 3 analysis is a standards to practice gap map that feeds directly into: (i) the qualitative risk levels summarized in

Table 1. Risk scoring methodology.

Threat Class	Risk Score	Risk Level
Container runtime escapes	0.85	Critical
NGAP signaling floods	0.82	Critical
Registration storms	0.80	Critical
GTP-U amplification	0.72	High
PFCP association flooding	0.68	High
MitM non-3GPP access	0.65	High
5G-aka protocol weaknesses	0.62	High
Spectrum slicing interference	0.55	High
MitM initial registration	0.58	High
SSB jamming and spoofing	0.42	Medium
Identifier leakage	0.38	Medium

(Section 4.9), where several “critical” and “high” risks are driven more by deployment lag than by missing standards; and (ii) the mitigation taxonomy in Appendix B (Table A2), which prioritizes controls that are already defined in TS 33.501 but under-deployed in current 5G Standalone networks.

2.4. Criticality Scoring

To rank the vulnerabilities in a consistent and transparent way, we used a normalized risk score. This score combines four elements: likelihood, impact, exploitability, and the CVSS-based severity, into a single weighted measure. Each component was first converted to a common 0–1 scale so that no factor dominated simply because it used a different range or unit. This normalization step made the scoring more balanced and allowed the final risk values to be compared directly across very different types of vulnerabilities.

Consider an example of Container Escape to calculate risk score and level. As discussed in Section 2.3, R = (Exploit Probability × Impact × Likelihood) + CVSS-Normalized Severity; Risk Level Thresholds: critical if $R\ge 0.7$, high if $0.5\le R<0.69$, medium if $0.3\le R<0.49$, and low if $R<0.3$; Factor Definitions: Clear 0–1 scales for each component.

• Exploit Probability: 0.95 (PoC available, real-world exploitation);
• Impact: 0.90 (Full 5G Core Network compromise);
• Likelihood: 0.90 (Affects all CNF deployments);
• CVSS-Normalized: 0.85 (CVSS 9.8 normalized);
• Intermediate Calculation: 0.95 × 0.90 × 0.90 = 0.77;
• Final Risk Score: (0.77 + 0.85)/2 = 0.81 → CRITICAL.

3. 5G Architecture

5G [8,9,10] networks implement a service-based architecture that separates control and user planes to enhance security and flexibility. While this separation has existed since 4G/LTE, 5G introduces new security considerations through its virtualized network functions and open interfaces. The architecture implements multiple security domains, each serving distinct protection purposes. The access security domain protects radio interface communications, implements mutual authentication, and provides confidentiality and integrity protection. Within the core network security domain, the architecture secures service-based interfaces, enforces network function authentication, and manages security context distribution. The user plane security domain ensures end-to-end data protection, implements QoS-aware security, and provides slice-specific security controls.

Figure 1 illustrates that the 5G service-based architecture maintains separate layers for the data, control, and user planes. Table A1 provides a summary of 5G service-based architecture elements. Implementing the SBA in the 5G core network allows for the provisioning of various services, a core network that is not dependent on access technology, and the separation of control and user planes. Separating 5G control and user planes reduces risks and vulnerabilities, a strategy already employed in previous generations of LTE. Operators can implement stricter access controls, monitor network activity, and prevent unauthorized access to critical network elements by isolating control functions from user data. The transition mentioned is a crucial element in the architecture of the 5G core network.

3.1. User Plane

The user plane is dedicated to handling the actual user data traffic, such as voice, video, and data services. It comprises several key components. The User Equipment (UE) represents the end-user devices, including smartphones, tablets, IoT devices, and any other device that connects to the 5G network to access services.

The main vulnerabilities in the user plane stem from GTP-U encapsulation issues and traffic amplification attacks and inadequate surveillance of internal data-plane network traffic. The threats which occur less frequently than control-plane attacks have proven capable of causing major denial-of-service problems and data interception, according to available evidence.

The Next-Generation Radio Access Network (NG-RAN) provides the air interface for communication between the UE and the 5G core network, managing tasks like radio resource management, scheduling, and encoding/decoding of data over the radio channels. The User Plane Function (UPF) acts as a critical packet router and forwarder for user data traffic, performing functions such as packet inspection, Quality of Service (QoS) enforcement, and traffic steering based on predefined policies. Finally, the Data Network (DN) represents the external networks, such as the Internet or private networks, to which the user’s data traffic is ultimately routed.

3.2. Control Plane

Next, the control plane is responsible for managing the signaling and control functions of the 5G network. It includes components like the Authentication Server Function (AUSF), which handles authentication and security procedures, ensuring that only authorized devices and users can access the 5G network services.

The majority of control-plane vulnerabilities target the signaling protocols and management functions which maintain network operations through AMF and SMF and SBA API components. Attackers use various tactics to conduct their attacks, which include NGAP registration floods and PFCP association abuse and unauthorized access to service-based interfaces. These methods require minimal resources yet they can create extensive network service interruptions. Each identified threat is mapped to its affected interfaces (e.g., N2, N4), preconditions, primary impact, and supporting evidence.

The Network Functions (NFs) are generic components that perform specific tasks within the control plane, such as the Access and Mobility Management Function (AMF), Session Management Function (SMF), and Policy Control Function (PCF). The AMF manages access control and mobility procedures, including registration, connection management, and handover between different access networks. The Network Repository Function (NRF) maintains a repository of available network functions and their capabilities, allowing other network functions to discover and communicate with each other. Finally, the Network Exposure Function (NEF) acts as a secure gateway, exposing selected network capabilities and events to trusted third-party applications, enabling the development of innovative services and applications.

3.3. Cross-Plane

Complementing these two planes is the Common Data Layer, which provides shared data repositories accessible to multiple network functions within the SBA. This layer ensures consistent and efficient data access across the architecture, reducing duplication and promoting data sharing among different components. Additionally, network slicing enables cross-plane issues because its shared infrastructure creates two problems, which affect both logical slices through side-channel leakage and resource contention, as revisited later.

Open APIs enabled by 5G core network exposure provide operators and third parties with a flexible platform for rapid and secure service innovation. Capitalizing on network exposure is key for operators to unlock the full potential of 5G. Open APIs can be more vulnerable to exploits and attacks compared to proprietary closed APIs. Extensive testing and validation of open APIs are crucial to minimizing security risks. API Fuzz testing [13], a technique that involves throwing invalid or unexpected inputs at an API to uncover flaws, should be conducted thoroughly during the development phase. Any vulnerabilities uncovered should be addressed before the API is published. Operators should also implement API keys and rate-limiting mechanisms to prevent abuse.

4. Vulnerability and Threat Mitigation

4.1. Container Security

From a security standpoint, containerized environments and traditional deployments share many similarities. Container security is regarded as critical in 5G due to the extensive use of containerization in NFV. However, containers significantly alter the way applications operate, which introduces a new set of risks. If an adversary can modify or influence the construction of a container image during development, they could introduce malicious code that can be executed in the production environment. These are sometimes referred to as covert exploits. Once the container image has been created, it is stored in a registry and retrieved from the registry at the time of execution. Known as a supply chain exploit, this risk allows a bad actor to execute arbitrary code on-the-fly by replacing or modifying the container image between build and deployment. Poorly configured containers allow for the execution of containers with settings that grant them superfluous and unintended privileges.

As there are still bugs that would allow malicious code operating inside a container to escape onto the host, container escape vulnerabilities are still theoretically possible. One such vulnerability (CVE-2019-5736), known as RunceScape [14], allows attackers to escape containerized environments and obtain complete access to the underlying servers. Isolation techniques are intended to confine application code to a container. For certain applications, the impact of an escape can be significantly detrimental.

Recent critical vulnerabilities in the runtime of containers expose tangible risks to 5G core network security. An example includes CVE-2024-21626: this bug in the runc versions between 1.1.0 to 1.1.12 presents a huge flaw in SELinux label verification, allowing container escape. This directly influences containerized network function isolation and leads to the compromise of the whole 5G Core Network. Meanwhile, CVE-2023-27561 introduced a race condition in the runc handling of file descriptors that can give an attacker the capability to compromise network function isolation integrity.

These are increased within the container orchestration layer, usually implemented by Kubernetes: CVE-2023-2727 showed that a critical vulnerability in handling service account tokens could be exposed and lead to potentially unauthorized access to the management interfaces of network functions. CVE-2023-3676 demonstrated a node proxy vulnerability that directly impacts the network slice isolation.

CVE-2023-27561 will impact the performance and security of 5G networks due to the spikes it creates in the resource utilization of the affected nodes, which is characterized by increased network latency for control plane operations. To this end, this may likely result in disrupted service periods during successful exploits and, likewise, recovery times after its containment.

Implementing security controls is expected to have performance impacts that are both measurable and manageable. Basic container security measures are likely to result in increased CPU and memory utilization and a slight increase in control plane operation latency. Enhanced security monitoring is expected to introduce additional costs for continuous monitoring, increased memory overhead for security tools, and a notable requirement for security log storage.

4.2. Spectrum Slicing Attack

A spectrum-slicing attack [15] targets wireless communication systems by exploiting vulnerabilities in the spectrum-slicing process. An attacker can gain unauthorized access to a specific frequency band or interfere with resource allocation by exploiting vulnerabilities in the network infrastructure or the protocols used for spectrum allocation. This can lead to service disruptions, unauthorized access to sensitive information, and/or cause a complete DoS.

A more sophisticated attack vector is inter-slice interference, which targets boundaries between the spectrum slices. Through the engineering of precise transmission timing, the attackers can interfere with neighbors and leverage the holes in the 5G NR frequency planning. The very likely technical consequences would manifest as field issues, including reduced data transfer rates and significant drops in service quality [5].

Both need multi-layered spectrum security controls that network operators should embrace across three domains: physical layer security has to be improved through the management of guard bands utilizing mechanisms for dynamic power control, real-time interference detection, and resource optimization. Radio resource management must enforce strict slice isolation, adaptive numerology configuration, and enhance admission control with continuous quality monitoring. Network management integration needs to integrate automated response mechanisms, cross-layer security coordination, performance impact management, and optimization of resources.

Proper implementation of spectrum security measures necessitates a delicate balance between security and performance across various dimensions. Resource allocation must account for guard band overhead, increased processing latency, control channel overhead, and higher memory utilization. Monitoring requirements include maintaining a specific resolution for spectrum analyzers, regular sampling, adequate processing capacity per cell, and substantial storage needs per cell.

Guard Band Trade-offs: Implementing spectrum security measures necessitates a delicate balance between security and performance. A key metric is the guard band ratio (g), defined as follows:

$$g={\displaystyle \frac{G}{B_{tot}}}$$

where G represents the total bandwidth allocated to guard bands and $B_{tot}$ is the total available bandwidth per cell. As g increases, the probability of inter-slice interference decreases, enhancing security isolation. However, this results in a linear reduction in spectral efficiency and usable throughput. Resource allocation strategies [6] must therefore optimize g to satisfy security isolation requirements without falling below the minimum throughput thresholds required for URLLC slices.

4.3. DDoS Attacks

In 5G networks, device-to-device (D2D) communications enable direct communication between devices without a centralized network infrastructure. While this enhances efficiency and reduces latency, it also introduces new attack vectors for malicious actors to exploit. One is the increased vulnerability to Distributed Denial of Service (DDoS) attacks. For example, one such DDoS type is Paging Storm attacks [11]. As illustrated in Figure 1, the paging procedure in a 5G network functions by locating and notifying specific user equipment (UE) when an incoming call or message arrives. This communication relies on the N2 interface.

A paging storm attack exploits vulnerabilities within this framework by targeting multiple network interfaces. The primary attack vector lies in the N2 interface between gNB and AMF, while secondary and tertiary vectors target the N4 interface (SMF-UPF connection) and N1 interface (UE-AMF link), respectively. To execute such an attack successfully, adversaries must meet several practical requirements. These include gaining access to the N2 interface through a compromised gNB or malicious network element, possessing the capability to forge valid NGAP (Next Generation Application Protocol) messages, and obtaining knowledge of valid UE identifiers (5G-S-TMSI).

The Next Generation Application Protocol (NGAP) signaling flood represents a validated attack vector documented in 3GPP TR 33.805 and recent CVE-2023-32852 findings. Testing against commercial 5G core networks has demonstrated that attackers can overwhelm the Access and Mobility Management Function (AMF) by generating excessive NGAP signaling messages through compromised or simulated gNBs. This attack proves particularly effective because the AMF must process each message to determine its validity, consuming substantial computational resources even when messages are ultimately rejected.

Validated through GSMA’s security assessment framework (FS.32), the registration storm attack exploits the 5G initial registration procedure. Attackers leverage multiple compromised UEs or simulated devices to initiate simultaneous registration requests, overwhelming the AMF and User Data Management (UDM) functions.

A known attack vector, as documented by 3GPP SA3, leverages the GPRS Tunneling Protocol User Plane (GTP-U) to significantly increase traffic volumes. Attackers manipulate GTP-U echo requests with spoofed source addresses, causing User Plane Functions (UPFs) to generate responses that are substantially larger than the original requests. Commercial networks have confirmed that a single compromised network element can generate a large volume of amplified traffic using this technique.

4.4. Man-in-the-Middle Attack

There are several interfaces in the architecture of 5G where, notionally, Man-in-the-Middle attacks could be staged, but practical considerations and security controls prevent all but the most limited set of attack paths. According to the research on Man-in-the-Middle (MitM) attacks [16], three realistic attack surfaces with demonstrable impact were identified: the initial registration procedure, radio interface vulnerabilities, and non-3GPP access points. Each surface comes with specific issues and opportunities for the attacker, with its particular prerequisite conditions necessary to perform the attack.

During the initial UE registration phase, before security context establishment, a narrow window exists for potential MitM attacks. This vulnerability arises specifically in the window between the initial establishment of the RRC connection and the completion of the 5G-AKA procedure. Research [12] into the open literature shows that such a window can be exploited by radio proximity attackers under certain conditions. The conditions are physical proximity of less than 500 m inside the target cell coverage area, coupled with specialized radio equipment that can broadcast in 5G NR frequencies. The attack demands precise timing to intercept the registration process before security activation, along with the capability to present a stronger signal strength than legitimate gNBs.

The N1 interface between UE and gNB presents a viable target for a MitM attack, particularly during transitions between idle and connected states. Using software-defined radio (SDR) equipment could uncover a practical attack method requiring sophisticated prerequisites. Successful attacks demand high-grade SDR hardware, gNodeB impersonation capabilities, detailed knowledge of local network parameters, and proximity to the target.

Studies have shown that success depends on catching the target UE in idle mode, maintaining superior attacker signal strength, precise timing of security context release, and completing RRC procedures. The impact on network operations was notable but manageable. Connection establishment delays were observed, while control plane message exposure remained limited to specific NAS messages. Service disruption was confined to the targeted UE, and network monitoring systems detected the attacks with a high degree of accuracy.

Non-3GPP access points, particularly untrusted Wi-Fi networks, present the most practical MitM attack vector. Research validated successful MitM attacks through compromised Wi-Fi access points connecting to 5G core networks via N3IWF (Non-3GPP Interworking Function). This attack vector requires modification capabilities of access points, in-depth N3IWF protocol knowledge, IPsec tunnel manipulation tools, and sophisticated traffic inspection capabilities.

The research reported noticeable user plane latency increases, while control plane message exposure remained limited by IPsec protocols. Service continuity was maintained during attacks, and anomaly monitoring systems detected the attacks effectively.

Implementing full PKI for gNB authentication can prove highly effective, significantly reducing false base station attacks. The performance impact included slight increases in connection latency, CPU usage, and memory utilization, with minimal overhead for key management. Enhanced network monitoring, aimed specifically at MitM attacks, demonstrated a high detection rate for active attacks with minimal false positives. The system responded rapidly while maintaining reasonable resource overhead.

A comprehensive security control approach integrates multiple protective layers. Radio interface protection involves mandatory gNB authentication, swift security context establishment, enhanced RRC security measures, and continuous signal strength monitoring. For non-3GPP access security, strict IPsec tunnel requirements, enhanced N3IWF authentication, continuous connection monitoring, and rapid threat response capabilities are implemented.

While theoretical MitM attacks against 5G networks appear concerning, practical implementation faces significant challenges. The most viable attack vectors target initial registration procedures and non-3GPP access points rather than established connections. Proper implementation of available security controls effectively mitigates these risks while maintaining acceptable performance metrics. Network operators should focus their efforts on securing these identified vulnerable points rather than theoretical attacks against established security contexts. This targeted approach enables efficient resource allocation while maintaining a robust security posture against realistic threats.

4.5. Signal Synchronization, Jamming, and Spoofing

The signal synchronization block (SSB) is a critical component of 5G networks [17] that synchronizes the transmission and reception of signals between base stations and user devices. SSB ensures the signals are properly aligned and timed, allowing for efficient communication. However, this synchronization process can be vulnerable to various attacks, which can compromise the network’s integrity and availability.

One of the main vulnerabilities of the SSB is the possibility of signal jamming or interference. Since the SSB relies on precise timing and synchronization, any disruption to the signals can lead to synchronization errors and communication failures. Attackers can exploit this vulnerability by intentionally jamming the signals or introducing interference, disrupting the network, and causing service outages. This can have serious implications, especially in critical applications such as autonomous vehicles [17] or remote healthcare monitoring.

Another vulnerability of the SSB is signal spoofing or manipulation. An attacker can impersonate a legitimate base station and send false synchronization signals to user devices. This can lead to devices connecting to malicious networks or being directed to unauthorized resources. By manipulating the synchronization signals, attackers can disrupt the network or gain unauthorized access to sensitive information. This highlights the need for robust authentication and encryption mechanisms to protect against such attacks. The SSB is susceptible to physical attacks such as tampering or sabotage. Since the SSB is a physical component located in base stations, attackers can physically access and manipulate it. This can involve tampering with the synchronization hardware or introducing malicious code into the SSB software. Such attacks can compromise the integrity of the synchronization process and lead to network-wide disruptions. Therefore, it is crucial to implement stringent physical security measures to protect the SSB from unauthorized access. Several measures can be taken to mitigate these vulnerabilities. First, strong encryption and authentication protocols can help prevent signal spoofing and manipulation. Ensuring that only legitimate base stations can send synchronization signals minimizes the risk of unauthorized access and network disruptions. Additionally, regular monitoring and analysis of synchronization signals can help detect any anomalies or suspicious activities, allowing for timely response and mitigation.

4.6. Packet Forwarding Control Protocol-Based Attacks

PFCP is a protocol used in the 5G core network to manage and control the forwarding of user data packets. It is responsible for establishing and maintaining sessions between the user equipment (UE) and the network and managing different applications’ QoS requirements. PFCP operates at the control plane of the 5G network, making it a critical component for ensuring the smooth operation of the network. One concern is the vulnerability of the 5G core network to Packet Forwarding Control Protocol (PFCP)-based attacks [18]. PFCP-based attacks can exploit vulnerabilities in the protocol to disrupt network operations, compromise user privacy, and even cause financial losses. One such attack is the PFCP message flooding attack, where an attacker floods the network with a large number of PFCP messages, overwhelming the network resources and causing a denial of service.

The PFCP association procedure between the SMF and UPF (refer to the N4 interface in Figure 1) presents a validated vulnerability point. Security assessments documented in CVE-2023-29799 reveal that crafted association setup messages can exploit implementation flaws in node-ID verification [18]. The analysis of CVE-2023-29799 supports testing in controlled environments utilizing standard open-source PFCP stacks, demonstrating that attackers could establish unauthorized associations. In these scenarios, the injection of association setup requests at high rates (flooding) overwhelmed the SMF’s state management logic. Successful exploitation allows for the unauthorized modification of forwarding rules and the interception of user traffic flows [8]. As detailed in Table A1, the SMF is the critical control point here; compromising its association logic effectively breaks the isolation between the Control and User planes.

4.7. Enhanced Protection in the Control Plane

The potential leakage of sensitive information, such as the International Mobile Equipment Identity (IMEI) or the Permanent Equipment Identifier (PEI), and the associated 5G-Globally Unique Temporary Identifier (5G-GUTI) of a device [19], must be addressed, even if the user plane data is encrypted. Operators can minimize the risk of leakage and user tracking by securing the control plane. This could involve implementing tamper-resistant modules or secure enclaves within the device, which would protect the IMEI/PEI and 5G-GUTI from being leaked even if the user plane data is compromised. Note that IMEI/PEI and 5G-GUTI leakage in the control plane poses a significant threat to user privacy and data protection. Cellular operators may implement end-to-end encryption of all control plane communications between the user equipment and the core network to address this issue. This prevents unauthorized interception and access to identifier information. Advanced encryption standards like AES-256-bit and SHA-3 can be utilized to provide robust confidentiality.

4.8. Vulnerabilities in the AKA Protocol and Software Defined Networking

A recent study in [6] has identified vulnerabilities in the AKA protocol used in 5G, such as the lack of replay attack protection for authentication messages between the UE and the serving network. Another concern is the potential for man-in-the-middle (MitM) attacks due to weak integrity protection of AKA signaling messages. Attackers can alter and forge AKA communications, enabling MitM scenarios to access user traffic and data. Implementing cryptographic signing of AKA messages substantially improves integrity verification and mitigates MitM risks. Additionally, the encryption of AKA messages should be strengthened using robust algorithms like 256-bit AES to prevent interception and manipulation. Mutual authentication between the UE and the network is also needed to verify both endpoints.

Potential solutions, such as lightweight authentication schemes [20], were proposed to address the vulnerabilities in the AKA protocol. Lightweight authentication schemes aim to provide efficient and secure authentication while minimizing computational and communication overhead. While lightweight authentication schemes show promise, evaluating their performance in detail is crucial. For example, a study in [7] was conducted to evaluate existing lightweight authentication schemes to assess their security properties. These evaluations consider resistance against known attacks, computational complexity, and communication overhead. The results indicate that some lightweight authentication schemes provide a high level of security, while others may require further improvements to address specific vulnerabilities.

4.9. Risk Prioritization Summary

The evaluation results indicate control-plane signaling attacks represent the most severe threat, which is followed by container runtime escapes and PFCP abuse. User-plane attacks, while generally lower in exploit likelihood, present significant impact potential due to amplification effects.

Table 2. 5G Threat Class Risk Prioritization.

Threat Class	Primary Plane/Interfaces	Representative Evidence/CVEs (Examples)	Qualitative Rationale	Risk Level
Container runtime and orchestration vulnerabilities	Control plane; container orchestration APIs	CVE-2023-XXXX; misconfigured container permissions	Exploits container vulnerabilities to disrupt network functions	High
Control plane DDoS	Control plane; NGAP interfaces	NGAP signaling flood, registration storms	Overwhelms control plane processing capacity	Critical
Control plane DDoS message flooding attacks	Control plane; NGAP interfaces	Massive NGAP signaling message; excessive registration requests	Overwhelms control plane processing capacity	Critical
PFCP association and message flooding attacks	User plane; PFCP interfaces	Flood of PFCP association setup/teardown message	Degrade user-plane resource allocation	High
Spectrum slicing and inter-slice interference	Radio access network; spectrum slicing boundaries	Unauthorized spectrum usage; cross-slice interface patterns	Impairs QoS of sliced services	High
Man-in-the-middle during registration and non-3GPP access/3GPP-access interfaces	Control plane; identity management interfaces, non-3GPP access/3GPP access interfaces	Intercepted registration/signaling message	Compromise user authentication and session integrity	High
Signal synchronization (SSB) jamming and spoofing	Radio access network; SSB transmission	SSB jamming signals; spoofed SSB timing/contents	Disrupts UE synchronization and access	Medium
Control plane identifier leakage (IMEI/PEI, 5G-GUTI	Control plane; identity management interfaces	Unauthorized exposure of IMEI/PEI; 5G-GUTI tracking	Enables tracking and potential identity theft	Medium
AKA protocol weaknesses and lightweight schemes	Control plane; AKA protocol exchanges	Weak key derivation: vulnerabilities in lightweight AKA	Compromises user/network authentication	High
User plane data interception	User plane; N3/N9 interfaces	Unencrypted user plane data flows	Exposes sensitive user data to interception	High

summarizes how the semi-quantitative scoring framework introduced in Section 2.3 is applied to the main vulnerability classes discussed in this work. For each threat, we combine evidence of practical exploitation, expected technical and business impact, observed or reported occurrence in operational or testbed environments, and the published CVSS scores of representative CVEs to derive an aggregate qualitative risk level.

This classification is not intended as an exhaustive quantitative ranking of all 5G threats. Instead, it provides a structured view of how the most prominent vulnerability classes identified in this survey relate to each other in terms of practical exploitability, operational impact, and observed deployment experience, and highlights why container- and control-plane DDoS-related vulnerabilities emerge as critical priorities for hardening in current 5G core networks, while spectrum- and access-focused attacks, although serious, tend to have more localized or conditional impact.

5G’s software-defined technologies introduce new security vulnerabilities, like inter-slice security threats, such as privacy, secure communication, slice isolation, slice-specific authentication, and authorization. Due to the virtual, rather than physical, isolation offered by 5G network slicing, several security attacks become more prominent, especially side-channel attacks. This is particularly true for slices sharing the same infrastructure, such as the Radio Access Network (RAN), backhaul network, or core network functions (CNFs). This shared environment necessitates an exhaustive analysis of potential vulnerabilities and the implementation of robust protection mechanisms to safeguard each slice. Table A2 summarizes the overall vulnerability mitigation process.

5. Conclusions and Future Directions

The evolution of 5G networks introduces unparalleled opportunities but creates significant security challenges due to the virtualized nature of the SBA. This article and vulnerability analysis reveal:

1.

Control Plane Vulnerabilities Dominate Current Threat Landscape: The most frequently exploited vulnerabilities (NGAP signaling floods, container escapes) target control plane management functions. These attacks cause service disruption with relatively modest attacker resources (compromised base station, network access).

2.

Critical Standards–Practice Gap in Deployment: While recent 3GPP standards increasingly address security, deployment lag persists. Container image scanning is optional in TS 33.501 but essential in practice. PFCP mutual authentication is recommended in Release 18 but not deployed in Release 16/17 networks (the majority of current installations).

3.

User Plane Vulnerabilities Often Overlooked: Unlike the control plane, user plane threats receive less attention from operators. GTP-U amplification attacks persist because many operators underestimate the DDoS impact from their own infrastructure.

4.

Network Slicing Isolation is Logical, Not Physical: While slicing creates logical separation, shared hardware enables side-channel attacks. Current deployments prioritize cost and efficiency over physical isolation, leaving critical services (URLLC, healthcare) vulnerable to cross-slice inference attacks.

The review shows that current 5G systems face their main security threats because control-plane signaling becomes exposed and organizations fail to use standardized security measures and lack proper user-plane monitoring capabilities. The four security measures which need immediate deployment derive from the most critical findings, which include PFCP mutual authentication and rate limiting, SBA API authorization strengthening and container runtime isolation enforcement, and user-plane DDoS visibility improvement. The upcoming challenges, which affect slicing isolation and physical-layer integration, indicate these problems will continue through 6G, thus requiring security designers to create systems with architectural awareness.

Emerging 6G Threats Already Visible: Physical layer security (SSB spoofing, jamming) and spectrum sharing (inter-slice interference) will worsen as 6G adds more slices and reduces spectrum separation. Current mitigation approaches (guard bands, monitoring) are insufficient for NextG.

The future of security solutions in 5G networks increasingly relies on technologies related to AI and machine learning. However, based on our study, we identify three priority directions for future work to secure NextG systems: (1) Automated Response on N2/N4: Developing AI-driven mechanisms to detect and mitigate signaling storms and PFCP association floods in real-time without inducing latency. (2) Zero Trust for Slicing: Moving beyond perimeter security to implement continuous micro-segmentation and authentication within the RAN and backhaul slices [10]. (3) Physical Layer Security Integration: Incorporating physical layer security techniques [21], such as secrecy-sensing optimization in RIS-assisted networks, to track malicious actors physically while securing the radio interface.