{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/yamcs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["yamcs-core ( \u003c 5.12.7 )"],"_cs_severities":["critical"],"_cs_tags":["rce","code-injection","yamcs"],"_cs_type":"threat","_cs_vendors":["Yamcs"],"content_html":"\u003cp\u003eA server-side code injection vulnerability has been identified in Yamcs, specifically affecting the \u003ccode\u003eorg.yamcs.algorithms.JavaExprAlgorithmExecutionFactory\u003c/code\u003e component. This flaw allows an authenticated user with the \u003ccode\u003eChangeMissionDatabase\u003c/code\u003e privilege to inject arbitrary Java code into the algorithm evaluation engine. The application dynamically compiles and evaluates this user-controlled algorithm text using the Janino compiler, but lacks a secure sandbox to prevent malicious code execution. Exploitation leads to Remote Code Execution (RCE) on the underlying host operating system. Discovered and reported by Pablo Picurelli Ortiz, this vulnerability is present in Yamcs versions prior to 5.12.7.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials to a Yamcs instance with an active processor (e.g., \u003ccode\u003einstance=myproject\u003c/code\u003e, \u003ccode\u003eprocessor=realtime\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Yamcs REST API using the acquired credentials, ensuring they possess the \u003ccode\u003eSystemPrivilege.ChangeMissionDatabase\u003c/code\u003e privilege.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Java payload designed to execute arbitrary OS commands. This payload often utilizes \u003ccode\u003ejava.lang.Runtime.getRuntime().exec()\u003c/code\u003e to initiate a reverse shell or establish an external webhook connection.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an authenticated HTTP \u003ccode\u003ePATCH\u003c/code\u003e request to the MDB override endpoint, targeting an existing algorithm (e.g., \u003ccode\u003ecopySunsensor\u003c/code\u003e). The request body contains the malicious Java code within the \u003ccode\u003etext\u003c/code\u003e field of the algorithm definition.\u003c/li\u003e\n\u003cli\u003eThe Yamcs server receives the \u003ccode\u003ePATCH\u003c/code\u003e request and updates the targeted algorithm\u0026rsquo;s text with the attacker-supplied Java code.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the evaluation of the modified algorithm. This can be achieved by sending telemetry data that the algorithm depends on, simulating real-world sensor readings.\u003c/li\u003e\n\u003cli\u003eThe Yamcs server employs the Janino \u003ccode\u003eSimpleCompiler\u003c/code\u003e to dynamically compile the injected Java text into a Java class. Due to the absence of a restrictive \u003ccode\u003eClassLoader\u003c/code\u003e, the compilation process proceeds without any security constraints.\u003c/li\u003e\n\u003cli\u003eThe compiled malicious Java code is executed by the Yamcs server, resulting in arbitrary command execution on the host operating system. This allows the attacker to perform actions such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants an attacker with application-level configuration privileges full control over the Yamcs server\u0026rsquo;s underlying operating system. This can lead to arbitrary command execution, sensitive data exfiltration, and the potential for lateral movement within the network where the Yamcs server is hosted. The impact is severe, potentially compromising the entire system and its data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Yamcs to version 5.12.7 or later to patch CVE-2026-44632.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the number of users with the \u003ccode\u003eChangeMissionDatabase\u003c/code\u003e privilege.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect attempts to inject malicious Java code into Yamcs algorithms.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to the webhook URL provided in the IOC table.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T00:07:37Z","date_published":"2026-05-27T00:07:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-yamcs-rce/","summary":"A server-side code injection vulnerability exists in Yamcs algorithm evaluation engine, allowing an authenticated user with `ChangeMissionDatabase` privilege to achieve Remote Code Execution (RCE) by injecting a malicious Java payload via the Janino compiler.","title":"Yamcs Server-Side Code Injection via Janino Expression Engine","url":"https://feed.craftedsignal.io/briefs/2026-05-yamcs-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Yamcs","version":"https://jsonfeed.org/version/1.1"}