CRITICAL🇵🇱 Wersja polska

CVE-2025-28388

CVSS 9.8v3.1pub. 2025-06-13upd. 2025-10-27

OpenC3 COSMOS before v6.0.2 was discovered to contain hardcoded credentials for the Service Account.

🤖 AI Analysis
How it works

In accordance with CWE-798, the vendor embedded static, unchangeable login credentials for a Service Account in the application code. An attacker who knows these hardcoded credentials (e.g., after analyzing the publicly available repository) can use them to authenticate to the system. Since these credentials are identical across all installations of a given version, the exploit requires no interaction from the victim or special privileges.

Impact

An attacker gains full, unauthorized access to the system with Service Account privileges, which may lead to disclosure of space mission data, modification of data, or complete disruption of the platform's operation.

Mitigation & patch

OpenC3 COSMOS must be urgently updated to version 6.0.2 or later, in which the issue has been fixed. Patch details are available in the vendor's references (GitHub pull request #1816 and release v6.0.2). After updating, it is recommended to review access logs to detect any potential unauthorized use of the Service Account.

Who is affected

OpenC3 COSMOS in all versions before 6.0.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Openc3 Cosmos

    APP
    Openc3
    6.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-42088CRITICAL9.6PL ✓ten sam produkt

OpenC3 COSMOS: ominięcie uprawnień API i dostęp do usług wewnętrznych sieci Docker

CVE-2026-42087CRITICAL9.6PL ✓ten sam produkt

SQL Injection w komponencie TSDB OpenC3 COSMOS (CVE-2026-42087)

CVE-2025-28384CRITICAL9.1PL ✓ten sam produkt

Path Traversal w endpoincie /script-api/scripts/ OpenC3 COSMOS

CVE-2025-28389CRITICAL9.8PL ✓ten sam produkt

OpenC3 COSMOS: Obejście uwierzytelnienia przez słabe wymagania haseł

CVE-2025-28386CRITICAL9.8PL ✓ten sam produkt

RCE w komponencie Plugin Management OpenC3 COSMOS poprzez spreparowany plik .txt