OpenC3 COSMOS is a command and control framework used to send commands and receive data from embedded systems. Versions 5.0.0 to 6.10.1 contain a critical vulnerability (CVE-2025-68271) classified as CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code, commonly known as eval injection. The vulnerability exists in the JSON-RPC API where certain API calls accept parameters as strings that are parsed using a method called String#convert_to_value. For inputs resembling arrays, this method executes Ruby's eval() function on attacker-controlled input. Critically, the command string is parsed and eval() executed before the authorization check occurs, allowing unauthenticated attackers to execute arbitrary Ruby code remotely. Although the request ultimately fails authorization with a 401 response, the code execution occurs prior to this check, enabling full remote code execution (RCE). This can lead to complete system compromise including data theft, system manipulation, or denial of service. The vulnerability is fixed in OpenC3 COSMOS version 6.10.2. The CVSS v3.1 base score is 10.0, reflecting network attack vector, no required privileges or user interaction, and a scope change with high impact on confidentiality, integrity, and availability.

For European organizations using OpenC3 COSMOS to manage embedded systems, this vulnerability presents a critical risk. Exploitation can lead to full remote code execution without authentication, allowing attackers to take control of embedded devices, exfiltrate sensitive data, disrupt operations, or pivot within networks. Given the use of embedded systems in critical infrastructure, manufacturing, aerospace, and defense sectors prevalent in Europe, the impact could be severe including operational downtime, intellectual property theft, and safety risks. The vulnerability’s ease of exploitation and high severity make it attractive for threat actors, including nation-state adversaries targeting strategic European industries. The potential for widespread disruption and compromise of sensitive systems necessitates immediate remediation to protect confidentiality, integrity, and availability of critical assets.

European organizations should urgently upgrade OpenC3 COSMOS to version 6.10.2 or later, where this vulnerability is patched. Until upgrade is possible, organizations should restrict access to the JSON-RPC API to trusted networks only, using network segmentation and firewall rules to block untrusted external access. Implement strict monitoring and logging of JSON-RPC API calls to detect anomalous or suspicious activity indicative of exploitation attempts. Employ application-layer firewalls or runtime application self-protection (RASP) solutions that can detect and block eval injection patterns. Conduct thorough code audits and penetration testing on custom integrations with OpenC3 COSMOS to identify and remediate similar unsafe eval usage. Finally, ensure incident response plans are updated to address potential exploitation scenarios involving embedded system compromise.