{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/yamcs-core--5.12.7/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["yamcs-core (\u003c 5.12.7)"],"_cs_severities":["critical"],"_cs_tags":["rce","code-injection","yamcs"],"_cs_type":"threat","_cs_vendors":["Yamcs"],"content_html":"\u003cp\u003eYamcs is vulnerable to a server-side code injection vulnerability (CVE-2026-46621) in its script evaluation engine for Python algorithms. The application dynamically compiles and evaluates user-controlled algorithm text using Jython via the JSR-223 ScriptEngine API without a secure sandbox. This vulnerability impacts Yamcs deployments where users have the \u003ccode\u003eChangeMissionDatabase\u003c/code\u003e privilege and a scripting engine like Jython is present. An authenticated user can exploit this by overriding the algorithm logic via the REST API at \u003ccode\u003e/api/mdb/{instance}/realtime/algorithms/{name}\u003c/code\u003e. The vulnerability affects \u003ccode\u003eyamcs-core\u003c/code\u003e versions prior to 5.12.7. This allows an attacker to escalate from application-level configuration privileges to full System/OS control, leading to arbitrary command execution, data exfiltration, and lateral movement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Yamcs application with an account possessing the \u003ccode\u003eChangeMissionDatabase\u003c/code\u003e privilege.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an existing algorithm defined in the Mission Database (MDB) with its language explicitly set to \u003ccode\u003epython\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing Jython code that leverages \u003ccode\u003ejava.lang.Runtime\u003c/code\u003e to execute arbitrary OS commands.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP PATCH request to \u003ccode\u003e/api/mdb/{instance}/realtime/algorithms/{name}\u003c/code\u003e to inject the malicious code into the identified Python algorithm.\u003c/li\u003e\n\u003cli\u003eThe Yamcs server receives the PATCH request and updates the algorithm\u0026rsquo;s text with the provided malicious code.\u003c/li\u003e\n\u003cli\u003eThe Yamcs server compiles the injected Jython code into an executable script on the fly.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the evaluation of the modified algorithm, potentially by sending telemetry data that the algorithm depends on.\u003c/li\u003e\n\u003cli\u003eThe injected Jython code executes the attacker-controlled OS command, achieving remote code execution on the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability impacts Yamcs deployments where users have the \u003ccode\u003eChangeMissionDatabase\u003c/code\u003e privilege. An attacker can leverage this to escalate from application-level configuration privileges to full System/OS control, leading to arbitrary command execution. This can result in data exfiltration, and potential lateral movement within the hosting infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Yamcs to version 5.12.7 or later to patch CVE-2026-46621.\u003c/li\u003e\n\u003cli\u003eReview and restrict the privileges granted to users, especially the \u003ccode\u003eChangeMissionDatabase\u003c/code\u003e privilege, to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Yamcs Jython Code Injection\u0026rdquo; to monitor for attempts to inject malicious Jython code into algorithms.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to attacker-controlled webhooks or other suspicious destinations, such as the URL listed in the IOC table.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T22:53:33Z","date_published":"2026-05-27T22:53:33Z","id":"https://feed.craftedsignal.io/briefs/2026-05-yamcs-rce/","summary":"Yamcs is vulnerable to authenticated remote code execution (CVE-2026-46621) where an authenticated user with the ChangeMissionDatabase privilege can inject malicious Jython code into existing Python algorithms, leading to arbitrary command execution on the underlying host operating system.","title":"Yamcs Authenticated Remote Code Execution via Jython Algorithm Code Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-yamcs-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Yamcs-Core (\u003c 5.12.7)","version":"https://jsonfeed.org/version/1.1"}