Cyber Posture

CVE-2026-1579

Critical

Published: 31 March 2026

Published
31 March 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to…

more

the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Prohibits permitted actions without identification or authentication, directly addressing the lack of default cryptographic authentication in MAVLink that allows unauthenticated command injection including SERIAL_CONTROL.

SC-13 Cryptographic Protection good match
prevent

Requires cryptographic mechanisms to protect the authenticity of transmitted MAVLink messages, enabling rejection of unsigned messages as recommended for mitigation.

CM-6 Configuration Settings good match
prevent

Mandates secure configuration settings to enable MAVLink 2.0 message signing, countering the default lack of authentication in the protocol.

Security SummaryAI

CVE-2026-1579 affects the MAVLink communication protocol, which does not require cryptographic authentication by default when MAVLink 2.0 message signing is not enabled. This vulnerability, published on 2026-03-31, allows any message—including SERIAL_CONTROL, which provides interactive shell access—to be sent by an unauthenticated party with access to the MAVLink interface. PX4 autopilot software utilizes MAVLink and offers MAVLink 2.0 message signing as its cryptographic authentication mechanism. The issue is classified as CWE-306 (Missing Authentication for Critical Function) with a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An attacker requires only network access to the MAVLink interface and no privileges to exploit this vulnerability. By sending unauthenticated MAVLink messages, they can inject arbitrary commands, including those via SERIAL_CONTROL for gaining interactive shell access on affected systems. This enables high-impact compromise of confidentiality, integrity, and availability.

PX4 documentation and CISA ICSA-26-090-02 recommend enabling MAVLink 2.0 message signing to mitigate the vulnerability, as it rejects unsigned messages at the protocol level. Configuration guidance is available at https://docs.px4.io/main/en/mavlink/message_signing and https://docs.px4.io/main/en/mavlink/security_hardening, with full advisory details at https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-02 and the associated JSON at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-02.json.

Details

CWE(s)
CWE-306

Affected Products

px4
autopilot
1.16.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote attackers with network access to the MAVLink interface to inject arbitrary messages, including SERIAL_CONTROL for interactive shell access, directly enabling exploitation of a public-facing application/service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References