Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Weak password requirements in OpenC3 COSMOS v6.0.0 allow attackers to bypass authentication via a brute force attack.
AnalysisAI
Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable brute force attacks. An unauthenticated remote attacker can exploit this with no user interaction to gain full control over the affected system, including confidentiality, integrity, and availability compromise. The CVSS 9.8 severity and network-based attack vector indicate this poses significant risk to any organization running the vulnerable version without additional protective controls.
Technical ContextAI
The vulnerability stems from CWE-521 (Weak Password Requirements), a foundational authentication weakness that fails to enforce sufficient password complexity, length, or entropy standards. In OpenC3 COSMOS v6.0.0, the authentication mechanism likely permits passwords with minimal complexity constraints (e.g., no length minimum, no character diversity requirements, or trivial default credentials), making the system susceptible to systematic password enumeration attacks. The absence of robust rate-limiting or account lockout mechanisms (common in weak authentication schemes) exacerbates the risk. This affects the COSMOS industrial control system platform, specifically CPE identifiers matching 'openc3:cosmos:6.0.0', which is widely deployed in critical infrastructure monitoring and orchestration environments.
More in Brute Force
View allRuggedCom Rugged Operating System (ROS) before 3.3 has a factory account with a password derived from the MAC Address fi
An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity
Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits o
QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immedia
I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creatio
Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0. Rated critical severity (CVSS 9.8), this
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20. Rated critical severity (CVSS 9.8)
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t
Beijing Zed-3 Technologies Co.,Ltd VoIP simpliclty ASG 8.5.0.17807 (20181130-16:12) has a Weak password vulnerability. R
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th
Weak Password Requirements in GitHub repository ikus060/minarca prior to 4.2.2. Rated critical severity (CVSS 9.8), this
RuoYi v3.8.3 has a Weak password vulnerability in the management system. Rated critical severity (CVSS 9.8), this vulner
Same weakness CWE-521 – Weak Password Requirements
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18268