Disregard the physical destruction of satellites; consider the potential benefits of hacking them instead.
=====================================================================
A series of critical security vulnerabilities have been uncovered in open-source satellite control and management software, posing significant risks to satellite operations. These issues were highlighted at the August 2025 Black Hat conference and in subsequent cybersecurity analyses.
The open-source software affected includes Yamcs, OpenC3 Cosmos, and NASA's Core Flight System (cFS).
Yamcs has at least five distinct vulnerabilities, allowing full compromise of the application. These include the ability to change a satellite's orbit undetected by sending manipulated commands to its thrusters. Additionally, there are unauthenticated telemessage vulnerabilities which can crash onboard software.
OpenC3 Cosmos shows an even worse security profile with seven identified vulnerabilities, including those that enable remote code execution and cross-site scripting (XSS) attacks. These vulnerabilities could potentially allow attackers to take control remotely from the ground station systems.
NASA's Core Flight System (cFS) has four critical flaws: two allow denial of service (DoS), one permits path traversal, and another allows remote code execution. These vulnerabilities can crash the flight software or provide attackers full code-execution control over NASA’s satellite systems.
Further concerns were raised about CryptoLib, an open-source cryptographic library widely used on satellites. It was found to have multiple vulnerabilities that could cause onboard software crashes via unauthenticated requests and reset encryption keys if misconfigured — severely compromising system security.
All these vulnerabilities have been reported to developers and patches issued. However, security experts warn that these incidents highlight the high risk and inherent difficulties in relying on open-source software for critical satellite control tasks. This suggests that other undiscovered critical issues may still exist.
One particularly concerning vulnerability, claimed by Starcik, allows crashing the entire onboard software of satellites with an unauthenticated telephone call.
As space exploration continues to expand, ensuring the security of satellite systems becomes increasingly important. It is crucial that measures are taken to mitigate these risks and prevent potential disruptions or unauthorized control of satellite systems.
[1] Black Hat Conference Report 2025 [2] Cybersecurity Analysis Report 2025
- The recent discovery of critical security vulnerabilities in open-source software like Yamcs, OpenC3 Cosmos, and NASA's Core Flight System (cFS) at the Black Hat conference and in subsequent cybersecurity analyses highlight the risks associated with satellite operations.
- Yamcs, a critical open-source software for satellite management, has at least five vulnerabilities, one of which permits undetected manipulation of a satellite's orbit via manipulated thruster commands.
- OpenC3 Cosmos, another open-source software, shows a more severe security profile with seven vulnerabilities, potentially enabling remote code execution and cross-site scripting (XSS) attacks.
- NASA's Core Flight System (cFS) has four critical flaws, two of which allow denial of service (DoS), one permits path traversal, and another allows remote code execution, posing potential threats to the flight software.
- Further concerns were raised about CryptoLib, an open-source cryptographic library widely used on satellites, due to multiple vulnerabilities that could cause onboard software crashes and reset encryption keys.
- As space exploration continues, it's crucial to address the high risks and inherent difficulties in relying on open-source software, especially for critical satellite control tasks, to prevent potential disruptions or unauthorized control of satellite systems.
