CVE-2025-28388
📋 TL;DR
OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials for a Service Account, allowing attackers to gain unauthorized access to the system. This affects all deployments using vulnerable versions of the OpenC3 COSMOS mission framework.
💻 Affected Systems
- OpenC3 COSMOS
📦 What is this software?
Cosmos by Openc3
Cosmos by Openc3
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the COSMOS system, allowing attackers to execute arbitrary commands, access sensitive mission data, and potentially pivot to connected systems.
Likely Case
Unauthorized access to COSMOS functionality, data exfiltration, and potential privilege escalation within the system.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Exploitation requires only knowledge of the hardcoded credentials, which are publicly documented in the fix commit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v6.0.2
Vendor Advisory: https://github.com/OpenC3/cosmos/releases/tag/v6.0.2
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Update to OpenC3 COSMOS v6.0.2 or later. 3. Restart all COSMOS services. 4. Rotate any credentials that may have been exposed.
🔧 Temporary Workarounds
Credential Rotation
allManually change the Service Account credentials to prevent use of hardcoded values
# Edit COSMOS configuration to set new Service Account credentials
# Restart COSMOS services after changes
Network Isolation
linuxRestrict network access to COSMOS services to trusted sources only
# Configure firewall rules to limit access
# Example: iptables -A INPUT -p tcp --dport <COSMOS_PORT> -s <TRUSTED_IP> -j ACCEPT
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach COSMOS services
- Monitor authentication logs for attempts using known hardcoded credentials
🔍 How to Verify
Check if Vulnerable:
Check if OpenC3 COSMOS version is earlier than v6.0.2 by examining the installed version or configuration files.Check Version:
Check COSMOS version via web interface or configuration files; exact command depends on deployment method.Verify Fix Applied:
Confirm installation of v6.0.2 or later and verify that Service Account credentials are no longer hardcoded defaults.📡 Detection & Monitoring
Log Indicators:
- Authentication attempts using the hardcoded Service Account credentials
- Unusual access patterns or privilege escalation from Service Account
Network Indicators:
- Unauthorized access attempts to COSMOS service ports
- Traffic from unexpected sources to COSMOS endpoints
SIEM Query:
source="cosmos" AND (event_type="authentication" AND (username="service_account" OR result="failure"))🔗 References
- https://github.com/OpenC3/cosmos/pull/1816
- https://github.com/OpenC3/cosmos/pull/1816/commits/195974a019f375f7c5a35f48e4151babb40649ac
- https://github.com/OpenC3/cosmos/releases/tag/v6.0.2
- https://openc3.com/
- https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework/
