What is the CVSS score of CVE-2025-28386?

CVE-2025-28386 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 1.5%.

Which versions of Cosmos are affected by CVE-2025-28386?

A critical remote code execution vulnerability (CVE-2025-28386) in OpenC3 COSMOS v6.0.0 allows unauthenticated attackers to execute arbitrary code by uploading malicious files, potentially…

Is there a public PoC exploit available for CVE-2025-28386?

Yes, a public proof-of-concept exploit is available for CVE-2025-28386. Prioritise patching immediately. EPSS: 1.5%.

How to fix or mitigate CVE-2025-28386?

Within 24 hours: Immediately disable the Plugin Management upload feature if operationally feasible, restrict network access to OpenC3 COSMOS instances to trusted networks only, and implement enhanced monitoring for suspicious file uploads. Within 7 days: Conduct a forensic audit of Plugin Management logs and file uploads to detect compromise; isolate affected systems if exploitation is confirmed. Within 30 days: Identify all systems running OpenC3 COSMOS v6.0.0, plan an upgrade to a patched version when available, and implement a compensating control architecture (see below) if upgrading cannot be completed.

Cosmos CVE-2025-28386

EUVD-2025-18270 CRITICAL

Code Injection (CWE-94)

2025-06-13 cve@mitre.org

RCE Cosmos

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18270

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

PoC Detected

Jun 23, 2025 - 14:06 vuln.today

Public exploit code

CVE Published

Jun 13, 2025 - 14:15 nvd

CRITICAL 9.8

DescriptionCVE.org

A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file.

AnalysisAI

Critical remote code execution vulnerability in OpenC3 COSMOS v6.0.0's Plugin Management component that allows unauthenticated attackers to execute arbitrary code by uploading a specially crafted .txt file. The vulnerability has a CVSS score of 9.8 (critical severity) with no authentication or user interaction required, making it trivially exploitable over the network. Given the high CVSS score and attack surface (public-facing plugin management interfaces), this vulnerability poses an immediate threat to all deployed instances of the affected version.

Technical ContextAI

The vulnerability exists in OpenC3 COSMOS's Plugin Management system (CPE: cpe:2.3:a:openc3:cosmos:6.0.0:*:*:*:*:*:*:*), which is a common operational technology (OT) and IT management platform. The root cause is classified under CWE-94 (Improper Control of Generation of Code - Code Injection), indicating that the plugin upload mechanism fails to properly sanitize or validate .txt file inputs before processing them. This likely stems from inadequate input validation in the file upload handler, where crafted .txt files containing executable code or commands are processed without sufficient security controls. The plugin management component likely uses an interpreter or code execution mechanism that blindly processes uploaded file contents, treating user-supplied data as trusted instructions rather than validating file structure and content.

CVE-2025-28386 vulnerability details – vuln.today

Back

Cosmos CVE-2025-28386

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Share

External POC / Exploit Code