How to fix CVE-2025-28386?

Within 24 hours: Immediately disable the Plugin Management upload feature if operationally feasible, restrict network access to OpenC3 COSMOS instances to trusted networks only, and implement enhanced monitoring for suspicious file uploads. Within 7 days: Conduct a forensic audit of Plugin Management logs and file uploads to detect compromise; isolate affected systems if exploitation is confirmed. Within 30 days: Identify all systems running OpenC3 COSMOS v6.0.0, plan an upgrade to a patched version when available, and implement a compensating control architecture (see below) if upgrading cannot be completed.

CVE-2025-28386

Q: Is Cosmos affected by CVE-2025-28386?

A critical remote code execution vulnerability (CVE-2025-28386) in OpenC3 COSMOS v6.0.0 allows unauthenticated attackers to execute arbitrary code by uploading malicious files, potentially compromising systems and sensitive data.

EUVD-2025-18270 CRITICAL

2025-06-13 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18270

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

PoC Detected

Jun 23, 2025 - 14:06 vuln.today

Public exploit code

CVE Published

Jun 13, 2025 - 14:15 nvd

CRITICAL 9.8

Description

A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file.

Analysis

Critical remote code execution vulnerability in OpenC3 COSMOS v6.0.0's Plugin Management component that allows unauthenticated attackers to execute arbitrary code by uploading a specially crafted .txt file. The vulnerability has a CVSS score of 9.8 (critical severity) with no authentication or user interaction required, making it trivially exploitable over the network. Given the high CVSS score and attack surface (public-facing plugin management interfaces), this vulnerability poses an immediate threat to all deployed instances of the affected version.

Technical Context

The vulnerability exists in OpenC3 COSMOS's Plugin Management system (CPE: cpe:2.3:a:openc3:cosmos:6.0.0:*:*:*:*:*:*:*), which is a common operational technology (OT) and IT management platform. The root cause is classified under CWE-94 (Improper Control of Generation of Code - Code Injection), indicating that the plugin upload mechanism fails to properly sanitize or validate .txt file inputs before processing them. This likely stems from inadequate input validation in the file upload handler, where crafted .txt files containing executable code or commands are processed without sufficient security controls. The plugin management component likely uses an interpreter or code execution mechanism that blindly processes uploaded file contents, treating user-supplied data as trusted instructions rather than validating file structure and content.

Affected Products

COSMOS (6.0.0)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +1.5

CVSS: +49

POC: +20

CVE-2025-28386 vulnerability details – vuln.today

Back

CVE-2025-28386

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-28386

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code