Droneaware Node Releases
Monthly
Account pre-hijacking in the centralized droneaware.io cloud platform allowed unauthenticated attackers to register an account using a victim's email address with an attacker-controlled password prior to the victim completing account activation. Once the legitimate owner activated their account - either via an email verification link or by authenticating through Google SSO - the attacker-set password remained fully valid, granting silent and persistent account takeover with no notification to the victim. The vulnerability was remediated server-side by the vendor on 2025-05-20; no public exploit or CISA KEV listing has been identified, and no user action is required.
Account pre-hijacking in the centralized droneaware.io cloud platform allowed unauthenticated attackers to register an account using a victim's email address with an attacker-controlled password prior to the victim completing account activation. Once the legitimate owner activated their account - either via an email verification link or by authenticating through Google SSO - the attacker-set password remained fully valid, granting silent and persistent account takeover with no notification to the victim. The vulnerability was remediated server-side by the vendor on 2025-05-20; no public exploit or CISA KEV listing has been identified, and no user action is required.