YAMCS yamcs-core 5.12.7 Vulnerability Allows Unlimited Brute‑Force Login Attempts
What Happened — The YAMCS yamcs‑core server (versions < 5.12.7) does not enforce rate‑limiting or lockout on the /auth/token endpoint. An attacker can send unlimited credential‑guessing requests and receive a 401 response for each failed attempt, enabling practical brute‑force attacks.
Why It Matters for TPRM —
- Credential‑brute‑force against a telemetry/control‑system API can lead to full system compromise.
- Absence of basic rate‑limiting indicates weak security hygiene in a third‑party SaaS provider.
- Down‑stream customers may inherit the risk without realizing the vendor’s control gaps.
Who Is Affected — Aerospace, satellite, defense, and scientific‑research organisations that integrate YAMCS for mission‑control or telemetry data; the vendor is an API‑provider SaaS platform.
Recommended Actions — Verify that the provider has upgraded to yamcs‑core ≥ 5.12.7, test the /auth/token endpoint for rate‑limiting, enforce MFA for privileged accounts, and add monitoring for repeated failed login attempts.
Technical Notes — Attack vector: unauthenticated HTTP POST to /auth/token; CVE‑2026‑44596, CWE‑307 (Improper Restriction of Excessive Authentication Attempts); CVSS 5.3 (Medium). Fix: upgrade to yamcs‑core 5.12.7 or later. Source: Exploit‑DB 52605