How to fix CVE-2025-28389?

Within 24 hours: Immediately isolate affected OpenC3 COSMOS v6.0.0 instances from production networks if operationally feasible, or implement emergency network segmentation and restrict access to trusted IP ranges only. Within 7 days: Deploy compensating controls including rate limiting on authentication endpoints, WAF rules to block brute force patterns, mandatory password complexity enforcement (minimum 16 characters, mixed case, symbols), and enable multi-factor authentication for all user accounts. Within 30 days: Upgrade to the latest patched version of OpenC3 COSMOS once available, conduct full access audit to identify unauthorized logins, and reset all credentials.

Is Brute Force affected by CVE-2025-28389?

CVE-2025-28389 is a critical authentication bypass vulnerability affecting OpenC3 COSMOS v6.0.0 that allows attackers to gain unauthorized access through weak password enforcement and brute force attacks.

CVE-2025-28389

EUVD-2025-18268 CRITICAL

2025-06-13 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18268

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

PoC Detected

Jun 17, 2025 - 19:42 vuln.today

Public exploit code

CVE Published

Jun 13, 2025 - 14:15 nvd

CRITICAL 9.8

Description

Weak password requirements in OpenC3 COSMOS v6.0.0 allow attackers to bypass authentication via a brute force attack.

Analysis

Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable brute force attacks. An unauthenticated remote attacker can exploit this with no user interaction to gain full control over the affected system, including confidentiality, integrity, and availability compromise. The CVSS 9.8 severity and network-based attack vector indicate this poses significant risk to any organization running the vulnerable version without additional protective controls.

Technical Context

The vulnerability stems from CWE-521 (Weak Password Requirements), a foundational authentication weakness that fails to enforce sufficient password complexity, length, or entropy standards. In OpenC3 COSMOS v6.0.0, the authentication mechanism likely permits passwords with minimal complexity constraints (e.g., no length minimum, no character diversity requirements, or trivial default credentials), making the system susceptible to systematic password enumeration attacks. The absence of robust rate-limiting or account lockout mechanisms (common in weak authentication schemes) exacerbates the risk. This affects the COSMOS industrial control system platform, specifically CPE identifiers matching 'openc3:cosmos:6.0.0', which is widely deployed in critical infrastructure monitoring and orchestration environments.

Affected Products

COSMOS (['6.0.0'])

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: +20

CVE-2025-28389 vulnerability details – vuln.today

Back

CVE-2025-28389

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-28389

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code