Two security researchers from VisionSpace, Andrzej Olchawa and Milenko Starcik, revealed critical weaknesses in open-source software used in both spaceborne and ground systems. These vulnerabilities could allow an attacker to take over satellites or ground control if exploited, says IEEE Spectrum.
They studied NASA’s Core Flight System (CFS), which is used onboard satellites and missions such as the James Webb Space Telescope and the Odysseus lunar lander. On the ground side, they examined the Yamcs mission control system used by operators to issue commands to the spacecraft.
The researchers described many of the flaws as “trivial,” “easy to exploit,” and “low-hanging fruit.” For example, within a few hours, they were able to find vulnerabilities that could let an attacker send unauthorized commands, change orbits, fire thrusters, modify configuration files, or bypass authentication.
They presented 37 separate vulnerabilities at Black Hat USA and DEF CON in 2025. All of them affect open-source software. Though the vulnerabilities have been patched since disclosure, they warn that many space systems still depend on software that hasn’t been thoroughly tested, especially closed-source code, which is less accessible to independent scrutiny.
One scenario: an adversary gains access to a ground station or the mission control system via phishing or by exploiting weak authentication or web‐interface flaws. Once inside, they could send arbitrary commands to the spacecraft. In some cases, attacks might require physical proximity (like being near a ground station); in others (Yamcs), remote attack routes are more feasible.
The core takeaway: despite the critical nature of space missions, cybersecurity is still often an afterthought. Open-source systems get patched after exposure, but the larger issue lies in overall risk posture, increasing connectivity, and legacy assumptions of isolation that no longer hold.