CISA has published an industrial control systems advisory (ICSA-26-183-02) for the CubeSpace CW0057 Reaction Wheel, a satellite attitude-control component deployed worldwide. The advisory covers a single vulnerability rooted in the device’s failure to cryptographically verify firmware images before accepting them.

The Vulnerability

CVE-2026-13743 affects CW0057 Reaction Wheel firmware versions prior to 5.0.20. The device currently uses a CRC-32 integrity check to validate firmware updates, which confirms that an image has not been corrupted in transit but does nothing to verify the image’s origin. An attacker with physical access can therefore substitute and upload arbitrary firmware without authentication, satisfying CWE-347 (Improper Verification of Cryptographic Signature).

The CVSS 3.1 base score is 6.1 (Medium), reflecting a physical-access attack vector. Under CVSS 4.0 the score drops to 3.3 (Low). Exploitation requires hands-on access to the hardware; the vulnerability is not remotely exploitable.

Scope and Impact

  • Affected products: CubeSpace CW0057 Reaction Wheel, all firmware versions below 5.0.20
  • Vendor: CubeSpace (headquartered in South Africa)
  • Deployment: Worldwide, critical infrastructure (Communications sector)
  • Recoverability: CubeSpace notes that the bootloader operates independently of application firmware, so a compromised unit can be restored from known-good vendor-supplied images and cannot be permanently disabled by this method

Remediation

CubeSpace has released firmware version 5.0.20, which introduces optional cryptographic secure boot at varying security levels. Critically, this protection is not enabled by default. Operators must actively enable signed-boot functionality, and CubeSpace specifically recommends activating fully immutable mode to achieve the highest protection level. Simply updating to 5.0.20 without enabling secure boot does not close the vulnerability.

Mitigations for Unpatched Systems

Because exploitation requires physical access, the most effective near-term control is restricting physical access to affected hardware. CISA’s standard ICS guidance also applies: isolate control system networks behind firewalls, avoid direct internet exposure, and use VPNs for any required remote access. No known public exploitation of this vulnerability has been reported to CISA.

The vulnerability was reported to CISA by security researcher Anthony Rose.