CVE-2025-28380 is a cross-site scripting (XSS) vulnerability identified in OpenC3 COSMOS, a software platform used for mission operations and command and control in aerospace and defense sectors. This vulnerability exists in versions prior to 6.0.2 and allows attackers to inject arbitrary HTML or JavaScript code through a crafted payload embedded in a URL parameter. When a victim user clicks on such a maliciously crafted URL, the injected script executes in the context of the victim's browser session, potentially leading to theft of session tokens, manipulation of displayed content, or execution of unauthorized actions within the web application. The CVSS 3.1 base score is 6.1 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, no privileges required, but requiring user interaction (clicking the malicious link). The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable component, and impacts confidentiality and integrity to a limited extent, but does not affect availability. No known public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a risk for organizations using affected versions. The root cause is improper sanitization and validation of URL parameters, leading to injection of executable scripts in the web interface.

For European organizations, especially those in aerospace, defense, and space sectors that rely on OpenC3 COSMOS for mission-critical operations, this vulnerability could lead to unauthorized disclosure of sensitive information such as session tokens or operational data, and manipulation of web interface content. Although the impact on availability is none, the confidentiality and integrity of user sessions and data could be compromised, potentially enabling further attacks or unauthorized command execution within the system. This could disrupt operational security and trust in mission control systems. The requirement for user interaction somewhat limits the attack surface but does not eliminate risk, particularly in environments where users may be targeted with phishing or social engineering campaigns. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation attempts. European organizations must consider the potential for espionage or sabotage given the strategic importance of affected systems.

The primary mitigation is to upgrade OpenC3 COSMOS to version 6.0.2 or later, where this vulnerability has been addressed. In addition, organizations should implement strict input validation and output encoding on all user-supplied data, especially URL parameters, to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. Conduct regular security training to raise awareness about phishing and social engineering attacks that could deliver malicious URLs. Monitor web application logs for suspicious URL parameter patterns indicative of attempted exploitation. Use web application firewalls (WAFs) configured to detect and block XSS payloads targeting known vulnerable endpoints. Finally, perform periodic security assessments and penetration testing focusing on client-side injection vulnerabilities to detect any residual or new issues.