Attack Chain

1. An attacker authenticates to the Yamcs application with an account possessing the ChangeMissionDatabase privilege.
2. The attacker identifies an existing algorithm defined in the Mission Database (MDB) with its language explicitly set to python.
3. The attacker crafts a malicious payload containing Jython code that leverages java.lang.Runtime to execute arbitrary OS commands.
4. The attacker sends an HTTP PATCH request to /api/mdb/{instance}/realtime/algorithms/{name} to inject the malicious code into the identified Python algorithm.
5. The Yamcs server receives the PATCH request and updates the algorithm’s text with the provided malicious code.
6. The Yamcs server compiles the injected Jython code into an executable script on the fly.
7. The attacker triggers the evaluation of the modified algorithm, potentially by sending telemetry data that the algorithm depends on.
8. The injected Jython code executes the attacker-controlled OS command, achieving remote code execution on the host system.

Impact

This vulnerability impacts Yamcs deployments where users have the ChangeMissionDatabase privilege. An attacker can leverage this to escalate from application-level configuration privileges to full System/OS control, leading to arbitrary command execution. This can result in data exfiltration, and potential lateral movement within the hosting infrastructure.

Recommendation

• Upgrade Yamcs to version 5.12.7 or later to patch CVE-2026-46621.
• Review and restrict the privileges granted to users, especially the ChangeMissionDatabase privilege, to minimize the attack surface.
• Deploy the Sigma rule “Detect Yamcs Jython Code Injection” to monitor for attempts to inject malicious Jython code into algorithms.
• Monitor network traffic for connections to attacker-controlled webhooks or other suspicious destinations, such as the URL listed in the IOC table.