CVE-2025-68271
OpenC3 · COSMOS
OpenC3 COSMOS 5.0.0 through 6.10.1 contains a critical RCE vulnerability in the JSON-RPC API where unauthenticated requests can trigger Ruby code execution via eval().
Executive summary
A critical remote code execution vulnerability in OpenC3 COSMOS allows unauthenticated attackers to execute arbitrary Ruby code via the JSON-RPC API.
Vulnerability
The vulnerability exists in the JSON-RPC API, where improper handling of string-to-value conversion leads to the execution of eval() on user-supplied input. This occurs during the command parsing phase, which executes before authorization checks are validated, allowing unauthenticated attackers to trigger the flaw.
Business impact
The ability to execute arbitrary Ruby code allows an attacker to gain full control over the application server, potentially leading to complete data exfiltration, service disruption, or lateral movement within the network. With a perfect CVSS score of 10, this is a critical vulnerability that requires immediate attention to prevent total system compromise.
Remediation
Immediate Action: Upgrade OpenC3 COSMOS to version 6.10.2 or later, which contains the necessary security fix for the JSON-RPC parsing logic.
Proactive Monitoring: Review API access logs for suspicious JSON-RPC payloads containing Ruby code patterns or unexpected string-to-value conversion attempts.
Compensating Controls: Restrict network access to the JSON-RPC API using IP whitelisting or by placing the service behind a VPN, preventing public exposure until the patch is applied.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This vulnerability is highly severe because it permits unauthenticated remote code execution. Administrators must prioritize updating to version 6.10.2 immediately to negate the risk of unauthorized system access.