External risk intelligence

OpenC3 COSMOS attackers can delete your data or take control

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-42087

An external attacker could exploit a flaw in OpenC3 COSMOS to delete or manipulate critical stored data. This creates a business risk by potentially disrupting operational monitoring and the management of embedded hardware.

2Halo Surface Signal

SQL Injection

Openc3 Cosmos

6.7.0 to before 7.0.07.0.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-42087

OpenC3 COSMOS is a specialized platform for managing embedded hardware telemetry and commands. Such systems are typically deployed within internal, restricted, or operational networks rather than on the public internet. Access normally requires authentication through the platform's user interface, which is rarely exposed to the public web in standard deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in OpenC3 COSMOS allows an attacker to run arbitrary SQL commands by exploiting a weakness in how user input is handled. This means attackers could potentially delete data or compromise sensitive information within the system. Teams should pay attention because this issue could impact the integrity and availability of data managed by COSMOS.

  • Arbitrary SQL command execution.
  • Potential for data deletion.
  • Affects Time-Series Database component.

Attack Path

How an attacker could exploit the issue

An authenticated user could exploit this SQL injection vulnerability in OpenC3 COSMOS by crafting malicious input to the `tsdb_lookup` function. This would allow them to execute arbitrary SQL commands, potentially leading to data deletion or other unauthorized modifications within the time-series database. The impact is amplified by the ability to affect data integrity and availability.

  • Requires authenticated access.
  • Targets the TSDB component.
  • User input is directly used in queries.

Live Threat

Current exploitation, exposure, and threat context

This SQL injection vulnerability in OpenC3 COSMOS, affecting versions between 6.7.0 and before 7.0.0-rc3, allows an authenticated user to execute arbitrary SQL commands by exploiting unsanitized user input in the `tsdb_lookup` function. Attackers would likely find this attractive for data exfiltration or manipulation, especially if the affected database holds sensitive operational data, but the need for prior authentication and the niche nature of the software may limit its widespread appeal.

  • SQL injection is a common attack.
  • Exploitation requires authentication.
  • Software is specialized.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching OpenC3 COSMOS instances, especially if they are exposed externally or accessible by unauthenticated users. This SQL injection vulnerability can allow attackers to execute arbitrary commands and delete data. If patching is delayed, implement strict access controls and network segmentation to limit potential impact.

  • Patch to version 7.0.0-rc3.
  • Restrict network access to TSDB component.
  • Monitor for suspicious SQL queries.

Frequently asked questions

What is OpenC3 COSMOS and what is it used for?

OpenC3 COSMOS is an open-source command and control system designed for integration, testing, and operations of embedded systems. It allows users to send commands to and receive data from various hardware, such as test equipment and satellites, enabling system integration and operational management.

What type of vulnerability does CVE-2026-42087 represent?

CVE-2026-42087 is a SQL injection vulnerability, specifically categorized as CWE-89. This means an attacker can manipulate database queries by inserting malicious SQL code, potentially leading to unauthorized access or data modification.

How can an attacker exploit CVE-2026-42087 in OpenC3 COSMOS?

An attacker with authenticated access can exploit this vulnerability by providing specially crafted input to the `tsdb_lookup` function. This function directly incorporates user input into SQL queries without proper sanitization, allowing the attacker to execute arbitrary SQL commands.

Who should be concerned about CVE-2026-42087 based on its Halo Surface Signal?

This vulnerability is classified as external, meaning it could be accessible from the internet. Organizations with internet-facing instances of OpenC3 COSMOS should be particularly concerned, as the vulnerability's network-attack vector (AV:N) implies potential exposure beyond internal networks.

What is the first step to address CVE-2026-42087?

The primary and most effective step is to upgrade OpenC3 COSMOS to version 7.0.0-rc3 or later, as this version contains the fix for the SQL injection vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified