The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides

Description

The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.

Affected Products

Vendor	Product	Versions
PX4	PX4 Autopilot	v1.16.0_SITL_latest_stable

References

Related News (1 articles)

Tier B

CCCS Canada3h ago

[Control systems] CISA ICS security advisories (AV26–324)

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

CWECWE-306

PublishedMar 31, 2026

Last enriched2h agov2

Trending Score11

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 2h ago

v2Tier B2h ago

Added vendor PX4, product PX4 Autopilot, affected version v1.16.0_SITL_latest_stable, and marked exploit as available and actively exploited.

vendorproductaffectedVersions

via CCCS Canada

v16d ago

Initial creation