Improper Firmware Signature Verification (CVE‑2026‑13743) in CubeSpace CW0057 Reaction Wheel Allows Malicious Firmware Upload
What It Is — CubeSpace reports that firmware versions prior to 5.0.20 for the CW0057 Reaction Wheel fail to properly verify cryptographic signatures. An attacker with physical access can upload arbitrary malicious firmware without authentication.
Exploitability — Requires physical access to the device; no public exploit code, but the flaw is exploitable in‑field. CVSS v3 6.1 (moderate).
Affected Products — CubeSpace CW0057 Reaction Wheel (all firmware < 5.0.20).
Why It Matters for Compliance & Audit Readiness
- SOC 2 Change Management (CC6.1) and System Operations (CC6.2) demand documented, verifiable firmware‑update processes; a missing signature check breaks that audit trail.
- Continuous control monitoring must capture firmware version changes to prove that only authorized, signed code runs on critical infrastructure.
- Enabling secure‑boot and recording the configuration change provides defensible evidence for regulators and enterprise customers.
Recommended Actions
- Deploy CubeSpace firmware 5.0.20 or later on all CW0057 units.
- Activate the signed‑boot (cryptographically verified secure boot) feature and record the change in your configuration management system.
- Integrate automated checks that flag any firmware version drift as part of your continuous compliance monitoring.
Source: CISA Advisory – ICSA‑26‑183‑02