NASA Mission Control Security Bug Stayed Hidden For 3 Years

Security vulnerability researchers have exclusively revealed to me that a critical bug remained hidden in the software protecting communications between NASA spacecraft and Earth for an incredible three years. A successful attacker could, but fortunately didn’t, “influence or disrupt spacecraft operations in mission-significant ways,” Stanislav Fort, co-founder and chief scientist at AISLE, the security organization that discovered and responsibly disclosed the vulnerability to NASA, said. Here’s everything you need to know as cybersecurity in space comes under the spotlight.

ForbesCISA Warns iPhone And Android Users — Secure Your Smartphone NowBy Davey Winder

When NASA Authentication Code Becomes A Space Attack Vector

Authentication code is the glue holding many security systems together. Whether you are talking about basic-level two-factor authentication as used to help secure our apps, or the more advanced stuff used to encrypt data within things like Windows BitLocker.

When it comes to mission-critical software, such as that developed and used by NASA and crucial for protecting the communications between spacecraft and Earth, you would hope that authentication is both highly advanced and highly secure. Yet a critical flaw in CryptoLib, unearthed, pardon the pun, by AISLE’s autonomous analyzer, was uncovered in the authentication path. Tracked as CVE-2025-59534, it turned out that the vulnerability had stayed hidden in plain sight for three years, between September 2022 and September 2025. “For over 1,100 days,” Fort said, “authentication code meant to secure spacecraft communications contained a command injection vulnerability.”A rapid response by NASA ensured that, upon disclosure, the vulnerability was fixed within four days.

“The vulnerability transformed what should be a routine authentication configuration into a weapon,” Fort told me in an exclusive interview, adding that “an attacker who can control either the username or keytab file path configuration values (perhaps through compromised operator credentials or social engineering) can inject arbitrary commands that execute with full system privileges.” If it needs spelling out, when it comes to spacecraft operations, this is particularly dangerous as “that authentication configuration often happens during mission setup or system maintenance, periods when security vigilance might be focused elsewhere.”

Just how dangerous this security vulnerability was can be seen in the potential havoc it could wreak if exploited. Fort told me that, in very practical terms, this could include:

In practical terms, this could enable:

• Access to classified mission data.
• Injecting false telemetry data or disrupting communications during critical mission phases.
• Command and control compromise.
• Compromising the ground infrastructure that connects mission controllers to vehicles in orbit

ForbesFBI Warns That Hackers Are Posing As Fake Feds — What You Need To KnowBy Davey Winder

What You Need To Know About The NASA CVE-2025-59534 Vulnerability

“Space missions rely on trustworthy cryptography. CryptoLib implements the Space Data Link Security protocol used across NASA missions,” Fort explained, “when that layer fails, spacecraft commands, telemetry, and science data are at stake.” CVE-2025-59534 was that weak point. The vulnerable function built a ‘kinit command string’ from configuration values and executed it via system(). “Shell metacharacters in username or keytab\_file\_path turned configuration into code,” Fort said, “a design choice that made authentication code an execution vector.”

The reason it could stay undiscovered for so long is that “a familiar system() pattern lived in a CAM/keytab login path that teams rarely exercise,” I was told, “while reviews and tests didn’t include adversarial inputs and configuration was implicitly trusted.” This meant that code review, static analysis, and fuzzing didn’t flag it because it lives in configuration-handling code that looks harmless. “The triggering inputs are valid config strings with shell meta characters,” Fort explained, “which fuzzers rarely explore.”

You can read the full technical report here.

A NASA spokesperson provided the following statement: “NASA prioritizes the cybersecurity of its systems to ensure they remain safe, trustworthy, and reliable for visitors. In addition to continuously scanning our systems for vulnerabilities, we also invite the public and security researchers to report any potential problems or misuses of our systems in good faith, through our Vulnerability Disclosure Program. NASA takes prompt action to validate and resolve all third-party reports, identifying and mitigating them appropriately.”

ForbesDo Not Download These Windows Security Updates, Experts WarnBy Davey Winder