How to fix CVE-2025-28388?

Within 24 hours: Identify all OpenC3 COSMOS deployments and versions in your environment; restrict network access to affected instances to trusted networks only. Within 7 days: Change all service account credentials and rotate API keys; implement enhanced monitoring for suspicious authentication activity; contact OpenC3 for v6.0.2 availability timeline. Within 30 days: Upgrade to v6.0.2 when released; conduct access audits to detect unauthorized use; review and strengthen secrets management practices.

Is Cosmos affected by CVE-2025-28388?

OpenC3 COSMOS installations running versions prior to 6.0.2 contain hardcoded service account credentials that can be exploited to gain unauthorized system access.

CVE-2025-28388

EUVD-2025-18269 CRITICAL

2025-06-13 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18269

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

PoC Detected

Oct 27, 2025 - 16:15 vuln.today

Public exploit code

CVE Published

Jun 13, 2025 - 14:15 nvd

CRITICAL 9.8

Description

OpenC3 COSMOS before v6.0.2 was discovered to contain hardcoded credentials for the Service Account.

Analysis

OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials embedded in the Service Account, allowing unauthenticated remote attackers to gain complete system compromise without any user interaction. This critical vulnerability has a CVSS score of 9.8 (critical severity) with a network attack vector, and given the nature of hardcoded credentials in a mission-critical space operations software, real-world exploitation risk is extremely high for organizations still running vulnerable versions.

Technical Context

OpenC3 COSMOS is a command and control software platform used for spacecraft operations, ground system automation, and telemetry processing. The vulnerability stems from CWE-798 (Use of Hard-Coded Credentials), a fundamental authentication flaw where Service Account credentials are embedded directly in the codebase, configuration files, or binary artifacts rather than being properly externalized and protected. This allows any attacker with network access to the COSMOS instance to extract and reuse these credentials, bypassing authentication mechanisms entirely. The hardcoded nature means credentials cannot be rotated per-deployment and affect all instances using the same codebase. CPE context suggests the vulnerable product is cpe:2.3:a:openc3:cosmos, with all versions prior to 6.0.2 affected.

Affected Products

COSMOS (All versions before 6.0.2)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +49

POC: +20

CVE-2025-28388 vulnerability details – vuln.today

Back

CVE-2025-28388

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-28388

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code