CVE-2025-28381
📋 TL;DR
OpenC3 COSMOS versions before 6.0.2 expose service credentials as environment variables in all containers, allowing attackers to access sensitive authentication data. This affects all deployments using vulnerable versions of the OpenC3 COSMOS mission framework.
💻 Affected Systems
- OpenC3 COSMOS
📦 What is this software?
Cosmos by Openc3
Cosmos by Openc3
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full access to all services and systems that use the leaked credentials, potentially leading to complete system compromise, data exfiltration, and lateral movement.
Likely Case
Attackers harvest credentials to access backend services, databases, or external APIs, leading to unauthorized data access and privilege escalation.
If Mitigated
Limited credential exposure with minimal impact if strong network segmentation and credential rotation are in place.
🎯 Exploit Status
Exploitation requires access to container environment variables, which may be accessible through various container management interfaces or compromised containers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.2
Vendor Advisory: https://github.com/OpenC3/cosmos/releases/tag/v6.0.2
Restart Required: Yes
Instructions:
1. Update OpenC3 COSMOS to version 6.0.2 or later. 2. Restart all containers and services. 3. Rotate all exposed credentials as a precaution.
🔧 Temporary Workarounds
Credential Rotation
allManually rotate all service credentials that may have been exposed as environment variables.
Environment Variable Restriction
allRestrict access to container environment variables through container runtime security controls.
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to containers and their management interfaces.
- Deploy runtime security monitoring to detect unauthorized access attempts to container environments.
🔍 How to Verify
Check if Vulnerable:
Check if OpenC3 COSMOS version is below 6.0.2 by examining the deployment configuration or running 'docker inspect' on containers to check for exposed environment variables containing credentials.Check Version:
Check the OpenC3 COSMOS version in your deployment configuration or container images.Verify Fix Applied:
Verify the OpenC3 COSMOS version is 6.0.2 or later and confirm that environment variables no longer contain sensitive credentials.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to container management APIs
- Unusual credential usage patterns from container IPs
Network Indicators:
- Suspicious outbound connections from containers to credential-related services
SIEM Query:
source="container_logs" AND (event="env_access" OR credential_terms)🔗 References
- https://github.com/OpenC3/cosmos/pull/1816
- https://github.com/OpenC3/cosmos/pull/1816/commits/cce64c213fd2e6a70e2ccbf3622949fe8f9dcaef
- https://github.com/OpenC3/cosmos/releases/tag/v6.0.2
- https://openc3.com/
- https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework/
