CVE-2025-28381
BaseFortify
Publication date: 2025-06-13
Last updated on: 2025-10-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openc3 | cosmos | 6.0.0 |
| openc3 | cosmos | 6.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-526 | The product uses an environment variable to store unencrypted sensitive information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-28381 is a credential leak vulnerability in OpenC3 COSMOS v6.0.0 where service credentials are stored as environment variables in all containers by default. Although scripts run by the Script Runner try to unset these environment variables to prevent leakage, these scripts can be modified by any user through the web interface. Attackers can alter the scripts to stop them from unsetting the credentials, and after rebooting the container, they can access and dump all environment variables, exposing sensitive service credentials. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive service credentials stored in container environment variables. Attackers who exploit this can gain access to these credentials, potentially allowing them to compromise other services, escalate privileges, or disrupt mission-critical operations. Since the containers run as root by default, the impact can be severe, including full system compromise or data breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence of environment variables containing service credentials within running OpenC3 COSMOS v6.0.0 containers. You can inspect environment variables in Docker containers by running commands such as `docker exec <container_id> env` or `docker inspect <container_id>` and reviewing the environment section. Additionally, verify if scripts intended to unset these environment variables have been modified by unauthorized users via the web interface. Monitoring for unexpected changes to these scripts and unusual container restarts can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include protecting the scripts responsible for unsetting environment variables from unauthorized modification by restricting write access via the web interface. Configure Docker containers to avoid running as root by default to limit the impact of potential exploits. Secure container restarts to prevent attackers from dumping environment variables after reboot. Additionally, audit and restrict user permissions on the web interface to prevent tampering with security-critical scripts. [1]