CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13743

criticalcovered by 2 sourcesfirst seen 2026-07-02
View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to upload arbitrary malicious firmware to the device. The following versions of CubeSpace CW0057 Reaction Wheel are affected: CW0057 Reaction Wheel CVSS Vendor Equipment Vulnerabilities v3 6.1 CubeSpace CubeSpace CW0057 Reaction Wheel Improper Verification of Cryptographic Signature Background Critical Infrastructure Sectors: Communications Countries/Areas Deployed: Worldwide Company Headquarters Location: South Africa Vulnerabilities Expand All + CVE-2026-13743 CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. This could allow an attacker with physical access to the product to upload arbitrary malicious firmware to the device without authentication. View CVE Details Affected Products CubeSpace CW0057 Reaction Wheel Vendor: CubeSpace Product Version: CubeSpace CW0057 Reaction Wheel: <firmware_5.0.20 Product Status: known_affected Remediations Vendor fix CubeSpace has released the following firmware versions for users to enable: Firmware version 5.0.20. Firmware version 5.0.20 introduces the capability for cryptographically verified secure boot; however, this protection is not enabled by default. Users must activate signed‑boot functionality, particularly the fully immutable mode, to achieve full security. Mitigation CubeSpace acknowledges the finding. The CW0057 reaction wheel authenticates firmware updates with a CRC-32 integrity check, which confirms image integrity but does not verify the source of an image. Exploitation requires direct physical access to the device and is not exploitable remotely. A device affected by this method remains recoverable: the bootloader operates independently of the application firmware and can reload known-good, CubeSpace-supplied images, so an affected unit cannot be permanently disabled by this method. Starting with firmware version 5.0.20, Cube

CSIRTS triage

What
A vulnerability could allow an attacker to upload arbitrary malicious firmware.
Who is affected
Users of CubeSpace CW0057 Reaction Wheel with the specified firmware versions.
Urgency
Remediation is urgent due to the critical nature of the vulnerability.
Action
Update to firmware version 5.0.20 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-13743

Get an email if CVE-2026-13743 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-13743

CVE.org record

Embed the live status

CVE-2026-13743 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13743 status](https://www.csirts.com/badge/CVE-2026-13743)](https://www.csirts.com/cve/CVE-2026-13743)