In satellites, each maneuver depends on software that is rarely subjected to public security evidence. Demonstrations in controlled environments have put vulnerabilities on the table that, under certain conditions, could allow the Remote Space Systems Control. It is not a timely failure or an isolated experiment: it is a sign that security should be reviewed with magnifying glass before it becomes news for wrong reasons.
In August, during conferences Black Hat USA and Def with held in Las Vegas, researchers shared their findings, According to IEEE Spectrum. The work focused on two key pieces: the Core Flight System (CFS), used in NASA multiple missions, including the telescope James Webband Yamcs, a control system of the European company Space Applications Services. The failures, however, were identified and corrected before their dissemination.
The finding reopening the debate on cybersecurity in space
Behind the finding are Andrzej Olchawa and Milenko Starcik, experts from Visionspace with direct experience in space operations. They analyzed open source software with the mentality of an adversary, seeking reproducible vulnerabilities. They did not need months of analysis: in a few hours they managed to locate 37 failures that, in controlled scenarios, allowed to manipulate critical systems. They acted on their own environments and coordinated with developers to patch the software before disseminating their conclusions.
The analysis of the Core Flight System (CFS) revealed that, although it is a key piece in NASA missions, its exploitation would not be simple. To compromise it would take toCceso Physical to a land station and operate at frequencies reserved for space communications. Even so, researchers warn that, in the hands of a state actor with sufficient resources and coverage, this scenario is plausible. In their demonstration they explained that, with that capacity, it would be possible to raise orders to the satellite and modify their behavior.
Yamcs, unlike CFS, was more accessible to an attacker. The researchers showed that a campaign would suffice Phishing Successful to load a malicious configuration in the control center. With that entrance door they could issue arbitrary orders or alter files, all from any location with Internet connection. The exercise showed how this vector opens a much larger and less protected attack surface.
In Black Hat USA 2025, Andrzej Olchawa deepened the reach of the tests and shared details on how vulnerabilities exploited. He stressed that All maneuvers were executed in simulated environments and that no real satellite was at risk. His explanation sought to give unlarmed technical context, showing precisely how far actors with sufficient knowledge and access to the right systems could reach.
“In some cases, we were able to send arbitrary telecomandos to the ships through the mission control system. In others, we managed to take control of the entire control center and, in other cases, if you are able to send telecomands to the ship, you can get remote execution of code directly in it.”
The threat panorama has changed: where there were private networks and local stations before, there are now remote control, cloud services and connections from home. This evolution multiplies the attack possibilities, according to researchers, and explains why theoretical vulnerabilities are now a reason for alert. An example is THE ATTACK AGAINST VIASAT IN 2022which affected thousands of users and coincided with the beginning of the war in Ukraine. The case suggests that space systems are not isolated from global conflicts.
Corrections arrived on time for open projects, with updates that mitigated the techniques demonstrated in the laboratory. The pending challenge is in closed systemswhere the absence of access to the code limits the review by external experts.
Images | Gontran Isnard | Xataka with Grok
GIPHY App Key not set. Please check settings