CRITICAL🇵🇱 Wersja polska

CVE-2025-28386

CVSS 9.8v3.1pub. 2025-06-13upd. 2025-06-23

A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file.

🤖 AI Analysis
How it works

The vulnerability (CWE-94 — improper control of code generation) consists of the ability to upload a crafted file with a .txt extension to the plugin management component. This file contains malicious code that is subsequently interpreted or executed by the server-side application. The lack of proper validation of the uploaded file content allows bypassing security mechanisms and executing arbitrary instructions in the context of the application process.

Impact

An attacker can remotely execute arbitrary code on the server without requiring any privileges, which may lead to complete system takeover, data leakage, and violation of the platform's integrity and availability.

Mitigation & patch

Patches available from the vendor should be applied according to the references. Additionally, it is recommended to restrict access to the Plugin Management component exclusively to trusted and authenticated users, and to monitor attempts to upload files to this module.

Who is affected

OpenC3 COSMOS v6.0.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Openc3 Cosmos

    APP
    Openc3
    6.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-42088CRITICAL9.6PL ✓ten sam produkt

OpenC3 COSMOS: ominięcie uprawnień API i dostęp do usług wewnętrznych sieci Docker

CVE-2026-42087CRITICAL9.6PL ✓ten sam produkt

SQL Injection w komponencie TSDB OpenC3 COSMOS (CVE-2026-42087)

CVE-2025-28384CRITICAL9.1PL ✓ten sam produkt

Path Traversal w endpoincie /script-api/scripts/ OpenC3 COSMOS

CVE-2025-28389CRITICAL9.8PL ✓ten sam produkt

OpenC3 COSMOS: Obejście uwierzytelnienia przez słabe wymagania haseł

CVE-2025-28388CRITICAL9.8PL ✓ten sam produkt

OpenC3 COSMOS — hardcoded credentials w koncie Service Account