OpenC3 COSMOS is a platform designed to send commands and receive data from embedded systems. Versions 5.0.0 through 6.10.1 contain a critical vulnerability (CVE-2025-68271) classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, or eval injection). The vulnerability exists in the JSON-RPC API where certain API calls accept parameters as strings that are parsed using a method called String#convert_to_value. This method executes Ruby's eval() on array-like inputs, which allows execution of arbitrary Ruby code. Critically, the vulnerable code path parses and evaluates the command string before performing authorization checks, meaning an unauthenticated attacker can trigger code execution even though the request ultimately fails authorization. This flaw enables remote code execution (RCE) with no authentication or user interaction required, impacting confidentiality, integrity, and availability of affected systems. The vulnerability has a CVSS 3.1 score of 10.0 (critical), reflecting its ease of exploitation and severe impact. The issue was publicly disclosed in January 2026 and fixed in OpenC3 COSMOS version 6.10.2. No known exploits in the wild have been reported yet, but the severity demands immediate attention.

For European organizations, the impact of this vulnerability is severe. OpenC3 COSMOS is used to manage embedded systems, which may include critical infrastructure, industrial control systems, aerospace, or defense-related applications. Successful exploitation allows unauthenticated remote attackers to execute arbitrary Ruby code on the server hosting COSMOS, potentially leading to full system compromise, data theft, manipulation of embedded device commands, disruption of operations, and lateral movement within networks. The compromise of embedded system management platforms can have cascading effects on operational technology environments, causing safety risks, financial losses, and reputational damage. Given the criticality and unauthenticated nature of the vulnerability, attackers could rapidly exploit vulnerable systems across Europe, especially in sectors relying heavily on embedded systems management.

European organizations should immediately upgrade OpenC3 COSMOS to version 6.10.2 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, organizations should restrict access to the JSON-RPC API to trusted networks only, using network segmentation, firewalls, and VPNs to limit exposure. Implement strict input validation and monitoring on API endpoints to detect anomalous or malicious requests. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) capable of detecting and blocking eval injection patterns. Conduct thorough audits of embedded systems management environments to identify and remediate any unauthorized access or suspicious activity. Additionally, review and tighten authorization logic to ensure no code execution occurs prior to authentication and authorization checks in future development cycles.