Himashveta Kumar (The Pennsylvania State University), Tianchang Yang (The Pennsylvania State University), Arupjyoti Bhuyan (Idaho National Laboratory), Syed Rafiul Hussain (The Pennsylvania State University)
The emergence of the 5G Open Radio Access Network (O-RAN) architecture introduces increased flexibility and modularity to cellular networks, but its sudden shift toward software-centric and multi-vendor deployments also expands the software supply chain (SSC) attack surface, which is particularly concerning given the critical role of 5G infrastructure. SSC vulnerabilities can lead to severe consequences, including service disruption, unauthorized backdoors, and code injection. In this work, we systematically identify and analyze SSC vulnerabilities in O-RAN RAN Intelligent Controller, which performs latency-sensitive edge control and optimization in 5G networks. Using static analysis tools, we evaluate production-grade O-RAN components primarily implemented in Go and find 57 security-relevant issues after manual validation. We highlight key limitations of off-the-shelf analyzers, quantify false-positive results, and contextualize identified risks within O-RAN deployments. Our findings emphasize the need for improved SSC security practices tailored to O-RAN systems.