What is the CVSS score of CVE-2025-28388?

CVE-2025-28388 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Cosmos are affected by CVE-2025-28388?

OpenC3 COSMOS installations running versions prior to 6.0.2 contain hardcoded service account credentials that can be exploited to gain unauthorized system access.

Is there a public PoC exploit available for CVE-2025-28388?

Yes, a public proof-of-concept exploit is available for CVE-2025-28388. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-28388?

Within 24 hours: Identify all OpenC3 COSMOS deployments and versions in your environment; restrict network access to affected instances to trusted networks only. Within 7 days: Change all service account credentials and rotate API keys; implement enhanced monitoring for suspicious authentication activity; contact OpenC3 for v6.0.2 availability timeline. Within 30 days: Upgrade to v6.0.2 when released; conduct access audits to detect unauthorized use; review and strengthen secrets management practices.

Cosmos CVE-2025-28388

EUVD-2025-18269 CRITICAL

Use of Hard-coded Credentials (CWE-798)

2025-06-13 cve@mitre.org

Information Disclosure Cosmos

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18269

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

PoC Detected

Oct 27, 2025 - 16:15 vuln.today

Public exploit code

CVE Published

Jun 13, 2025 - 14:15 nvd

CRITICAL 9.8

DescriptionCVE.org

OpenC3 COSMOS before v6.0.2 was discovered to contain hardcoded credentials for the Service Account.

AnalysisAI

OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials embedded in the Service Account, allowing unauthenticated remote attackers to gain complete system compromise without any user interaction. This critical vulnerability has a CVSS score of 9.8 (critical severity) with a network attack vector, and given the nature of hardcoded credentials in a mission-critical space operations software, real-world exploitation risk is extremely high for organizations still running vulnerable versions.

Technical ContextAI

OpenC3 COSMOS is a command and control software platform used for spacecraft operations, ground system automation, and telemetry processing. The vulnerability stems from CWE-798 (Use of Hard-Coded Credentials), a fundamental authentication flaw where Service Account credentials are embedded directly in the codebase, configuration files, or binary artifacts rather than being properly externalized and protected. This allows any attacker with network access to the COSMOS instance to extract and reuse these credentials, bypassing authentication mechanisms entirely. The hardcoded nature means credentials cannot be rotated per-deployment and affect all instances using the same codebase. CPE context suggests the vulnerable product is cpe:2.3:a:openc3:cosmos, with all versions prior to 6.0.2 affected.

CVE-2025-28388 vulnerability details – vuln.today

Back

Cosmos CVE-2025-28388

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Share

External POC / Exploit Code