CVE-2025-68271

Critical

Published: 13 January 2026

Published

13 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0034 56.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC…

request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation, such as patching OpenC3 COSMOS to version 6.10.2 or later, to eliminate the RCE vulnerability.

SI-10 Information Input Validation good match

prevent

Mandates validation of information inputs to external interfaces like the JSON-RPC API to block attacker-controlled strings from triggering eval() execution.

SC-7 Boundary Protection partial match

prevent

Monitors and controls communications at external boundaries to restrict unauthenticated remote access to the vulnerable JSON-RPC cmd endpoints.

Security SummaryAI

OpenC3 COSMOS, a platform for sending commands to and receiving data from embedded systems, contains a critical remote code execution vulnerability identified as CVE-2025-68271 in versions 5.0.0 through 6.10.1. The flaw affects the JSON-RPC API, where requests using the string form of certain APIs cause attacker-controlled parameter text to be parsed via the String#convert_to_value method. For array-like inputs, this parsing invokes Ruby's eval(), enabling arbitrary code execution. The issue is rated CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code).

An unauthenticated remote attacker can exploit this vulnerability by crafting a JSON-RPC request targeting the affected APIs, particularly those in the command (cmd) code path. The parsing of the command string occurs before the authorization check, allowing eval() execution even if the request later fails with a 401 Unauthorized response. Successful exploitation grants full remote code execution on the server, with high confidentiality, integrity, and availability impacts due to the changed scope.

The GitHub Security Advisory (GHSA-w757-4qv9-mghp) confirms the vulnerability and states it is fixed in OpenC3 COSMOS version 6.10.2. Security practitioners should upgrade to 6.10.2 or later and review access to JSON-RPC endpoints, restricting them to trusted networks where possible.

Details

CWE(s): CWE-95

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution via a crafted JSON-RPC request to a public-facing API, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/OpenC3/cosmos/security/advisories/GHSA-w757-4qv9-mghp
security-advisories@github.com