CVE-2025-68271:
Critical remote code execution vulnerability in OpenC3 COSMOS JSON-RPC API affects versions 5.0.0 to 6.10.1.
Score
A numerical rating that indicates how dangerous this vulnerability is.
10.0Critical- Published Date:Jan 13, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.3
- EPSS Percentile:55%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:CHANGED
Impact
- Score:6.0
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Critical remote code execution vulnerability in OpenC3 COSMOS JSON-RPC API affects versions 5.0.0 to 6.10.1.
Overview
The vulnerability (CVE-2025-68271) in OpenC3 COSMOS affects versions 5.0.0 to 6.10.1 and allows for remote code execution through the JSON-RPC API. The issue stems from the use of String#convert_to_value method, which executes eval() for array-like inputs. This occurs before the authorization check, enabling unauthenticated attackers to potentially execute arbitrary Ruby code. The vulnerability has been assigned a CVSS v3.1 base score of 10.0, indicating critical severity. It requires no privileges or user interaction and can be exploited over the network, potentially leading to high impacts on confidentiality, integrity, and availability.
Remediation
- To address this vulnerability, users of OpenC3 COSMOS should immediately upgrade to version 6.10.2 or later, which contains the fix for this issue. If immediate upgrading is not possible, it is crucial to implement additional security measures to restrict access to the JSON-RPC API and monitor for any suspicious activities. Organizations should also conduct a thorough review of their systems to identify any potential exploitation attempts and assess the impact on their infrastructure.
References
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
