PX4 Autopilot

Act Now9.8ICS-CERT ICSA-26-090-02Mar 31, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PX4 Autopilot v1.16.0_SITL_latest_stable contains a vulnerability in the MAVLink interface that allows an attacker with access to the MAVLink communication link (telemetry radio, network port, or serial connection) to execute arbitrary shell commands without cryptographic authentication. The vulnerability exists because the MAVLink interface does not validate message authenticity, allowing unauthenticated commands to be accepted and executed by the autopilot. This could allow an attacker to take control of flight operations, alter vehicle behavior, or compromise the system.

What this means

What could happen

An attacker with access to the MAVLink interface (which may be exposed over network, radio, or telemetry links) could execute arbitrary shell commands on the autopilot system, potentially taking control of flight operations or the vehicle's behavior.

Who's at risk

This affects operators and integrators of PX4 autopilot systems used in drones, unmanned aerial vehicles (UAVs), autonomous vehicles, and any systems relying on PX4 for flight or motion control. This includes both commercial and research platforms that expose the MAVLink interface over telemetry radios, network connections, or serial ports.

How it could be exploited

An attacker sends crafted MAVLink commands over an unencrypted or unauth communication link (UDP, serial, or radio telemetry) to the MAVLink interface. Since the interface does not validate message authenticity, the autopilot accepts and executes the injected shell commands without authentication.

Prerequisites

Network or physical access to the MAVLink communication link (e.g., telemetry radio, network port, or serial connection)
MAVLink 2.0 message signing not enabled on the system
Ability to send MAVLink-formatted packets to the autopilot

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)affects safety-critical systems (flight control)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Autopilot: v1.16.0_SITL_latest_stablev1.16.0 SITL latest stableNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGEnable MAVLink 2.0 message signing for all non-USB communication links (telemetry, radio, network)

WORKAROUNDRestrict network access to the MAVLink interface to trusted control stations and systems only

WORKAROUNDImplement firewall rules to block unauthorized MAVLink traffic (typically UDP port 14550 or serial/radio links)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGReview and apply PX4 security hardening guide for integrators and manufacturers (https://docs.px4.io/main/en/mavlink/security_hardening)

Long-term hardening

0/1

HARDENINGDisable remote MAVLink access over network if not required for operations; restrict to local USB or secured radio links only

CVEs (1)

CVE-2026-1579

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e20716e8-d3af-406e-8050-57fb38a195fd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.