CISA Warns of Physical Firmware Tampering Risk in CubeSpace CW0057 Reaction Wheel
CISA has issued an advisory for CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20, detailing CVE-2026-13743, a vulnerability allowing malicious firmware uploads via physical access.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory highlighting a critical vulnerability, CVE-2026-13743, affecting CubeSpace CW0057 Reaction Wheel devices with firmware versions preceding 5.0.20. This vulnerability, classified as an Improper Verification of Cryptographic Signature, poses a risk of malicious firmware being uploaded to the device.
The core of the issue lies in the device's firmware update mechanism. While the CW0057 reaction wheel employs a CRC-32 integrity check to ensure that the firmware image itself is not corrupted, it lacks a robust verification of the signature or origin of that firmware. This oversight allows an attacker who has gained physical access to the device to bypass authentication and upload arbitrary, potentially malicious, firmware.
Exploitation of this vulnerability requires direct physical access to the CubeSpace CW0057 Reaction Wheel. This prerequisite significantly limits the attack surface, as remote exploitation is not possible. CISA emphasizes that the physical access requirement means the vulnerability is not exploitable over a network, mitigating the risk of widespread, automated attacks.
CubeSpace has addressed this vulnerability by releasing firmware version 5.0.20. This update introduces the capability for cryptographically verified secure boot. However, it is crucial for users to understand that this enhanced security feature is not enabled by default. To fully protect their devices, customers must actively enable the signed-boot functionality, particularly the fully immutable mode, within the firmware settings.
Despite the potential for firmware tampering, CubeSpace assesses the practical risk as low. This assessment is based on the physical access requirement for exploitation and the inherent recoverability of affected devices. The device's bootloader operates independently of the application firmware. This means that even if malicious firmware is uploaded, the bootloader can still reload known-good, CubeSpace-supplied images, preventing the device from being permanently disabled.
CISA recommends standard defensive measures for industrial control systems (ICS) to further minimize risk. These include minimizing network exposure, isolating control system devices behind firewalls, and using secure methods like VPNs for remote access. Organizations are urged to perform thorough impact analyses and risk assessments before implementing any new security measures.
While no public exploitation of CVE-2026-13743 has been reported to CISA at this time, the advisory serves as a proactive warning. The vulnerability affects CubeSpace CW0057 Reaction Wheel devices deployed worldwide, particularly within the Communications critical infrastructure sector. Users are encouraged to update to firmware version 5.0.20 and enable the secure boot features to safeguard their systems against potential physical tampering.