A critical SQL injection vulnerability in OpenC3 COSMOS allows remote attackers to execute arbitrary database commands and potentially delete sensitive data.

The tsdb_lookup function in cvt_model.rb fails to sanitize user-supplied input before passing it to SQL queries. This enables an attacker to perform SQL injection, allowing for unauthorized data access, modification, or deletion.

With a CVSS score of 9.6, this flaw poses a severe threat to the integrity and availability of the Time-Series Database. Successful exploitation could lead to the total compromise of stored telemetry or command data, potentially resulting in operational disruption of the embedded systems monitored by COSMOS.

Immediate Action: Upgrade OpenC3 COSMOS to version 7.0.0-rc3 or later to resolve the underlying sanitization flaw.

Proactive Monitoring: Inspect database logs for abnormal query structures, such as unexpected use of SQL keywords or syntax errors indicative of injection attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection patterns targeting the COSMOS API.

Public Exploit Available: No

The severity of this SQL injection vulnerability necessitates immediate patching. Administrators should prioritize updating the COSMOS platform to prevent potential unauthorized database access and ensure the long-term integrity of their command and control environment.