Black Hat USA 2025 | Uncovering Threats and Exposing Vulnerabilities in Next-Gen Cellular RAN

5G Radio Access Networks (RANs) are undergoing a major shift from tightly integrated, vendor-specific systems to disaggregated, software-driven architectures. At the forefront is the Open RAN (O-RAN) movement, which defines new standardized interfaces to support RAN disaggregation and introduces modular RAN Intelligent Controllers (RIC) for smarter network optimization. While this openness promotes innovation and interoperability, it also significantly expands the attack surface. In this talk, we will reveal how O-RAN's design exposes critical interfaces to potentially malicious user equipment (UEs) and under-protected RAN nodes, and demonstrate how these exposed interfaces can be exploited to launch new classes of attacks. We will also present how our systematic testing has uncovered 26 previously unknown memory-corruption vulnerabilities across widely used O-RAN RIC and RAN implementations, resulting in silent service disruptions, performance degradation, component crashes, and even system-wide failures. These vulnerabilities resulted in 20 new CVEs. As major operators worldwide accelerate the adoption of O-RAN, our talk will demonstrate the significance of architecture-specific security testing for such emerging systems. We will begin by mapping out new attack surfaces and associated protection challenges introduced by O-RAN's microservice-based, cloud-native architecture, contrasting them with traditional closed RANs. To guide threat modeling and defense strategies, we will introduce a taxonomy of attack vectors targeting the O-RAN stack. We will then share our insights on testing this unique system and present the first automated security testing framework designed for O-RAN. Our approach combines dynamic tracing and static analysis to uncover inter-component dependencies and generate constraint-driven test inputs capable of reaching deep internal logic within RICs, RANs, and third-party xApps. Finally, we will showcase the vulnerabilities we uncovered and how these issues are remotely exploitable via public-facing interfaces by malicious UEs or rogue RAN nodes, demonstrating the potential operational impact of these attacks in real-world deployments. By: Tianchang Yang | Research Assistant, The Pennsylvania State University Kai Tu | Research Assistant, The Pennsylvania State University Syed Md Mukit Rashid | Research Assistant, The Pennsylvania State University Ali Ranjbar | Research Assistant, The Pennsylvania State University Gang Tan | Professor of Computer Science and Engineering, The Pennsylvania State University Syed Rafiul Hussain | Assistant Professor, The Pennsylvania State University Presentation Materials Available at: https://ift.tt/UnLvoGi

source https://www.youtube.com/watch?v=rqzK1xd3wng