Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.
AnalysisAI
Unauthenticated remote code execution in PX4 Autopilot via MAVLink protocol allows network attackers to execute arbitrary commands through SERIAL_CONTROL messages when message signing is disabled. The MAVLink 2.0 protocol in PX4 accepts unsigned messages by default, enabling any party with network access to the MAVLink interface to send interactive shell commands without cryptographic authentication. EPSS data not provided; no KEV status confirmed; reported by ICS-CERT indicating potential operational technology impact.
Technical ContextAI
MAVLink (Micro Air Vehicle Link) is a lightweight messaging protocol widely used for communication between ground control stations and unmanned vehicles, particularly in drone and robotics applications. PX4 Autopilot (identified by CPE cpe:2.3:a:px4:autopilot) implements MAVLink 2.0 as its primary communication protocol. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the protocol accepts messages without cryptographic validation when optional message signing features are not explicitly enabled. The SERIAL_CONTROL message type provides direct interactive shell access to the autopilot system, effectively granting command execution capabilities. MAVLink 2.0 includes an optional message signing mechanism using HMAC-SHA256 cryptographic authentication, but this security feature requires deliberate configuration and is not enforced by default in the protocol implementation.
RemediationAI
Enable MAVLink 2.0 message signing cryptographic authentication on all PX4 Autopilot deployments immediately to reject unsigned messages at the protocol level. Configuration instructions are available in official PX4 documentation at https://docs.px4.io/main/en/mavlink/message_signing with security hardening guidance at https://docs.px4.io/main/en/mavlink/security_hardening. Message signing requires generating shared secret keys and configuring both ground control stations and autopilot firmware to enforce signature validation on all MAVLink communications. Network segmentation should isolate MAVLink interfaces from untrusted networks as a complementary control. Review CISA advisory ICSA-26-090-02 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-02 for additional mitigation recommendations specific to operational technology environments. Organizations should audit all PX4 deployments to identify systems operating with default unsigned MAVLink configurations and prioritize remediation for internet-facing or wireless-accessible autopilot systems.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17614