OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS cont…
Published:
12 January 2026 at 23:00:00
Alert date:
13 January 2026 at 20:04:16
Source:
nvd.nist.gov
Critical Infrastructure, Web Technologies
OpenC3 COSMOS versions 5.0.0 to 6.10.1 contain a critical remote code execution vulnerability in the JSON-RPC API. The vulnerability occurs when attacker-controlled parameter text is parsed using String#convert_to_value, which executes eval() for array-like inputs. Unauthenticated attackers can trigger Ruby code execution through the cmd code path before authorization checks occur. The vulnerability affects embedded systems command and control functionality. Fixed in version 6.10.2.
Technical details
Mitigation steps:
Affected products:
OpenC3 COSMOS
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2025-68271
https://github.com/OpenC3/cosmos/security/advisories/GHSA-w757-4qv9-mghp
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.