Critical PX4 Autopilot Flaw Lets Hackers Take Control of Drones

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert regarding a severe vulnerability in the PX4 Autopilot system.

This critical flaw could allow malicious actors to completely take over unmanned aerial vehicles (UAVs) and drones deployed across vital infrastructure sectors worldwide.

CVE-2026-1579: What You Need to Know

Tracked as CVE-2026-1579, the security flaw carries a near-maximum Common Vulnerability Scoring System (CVSS) v3.1 score of 9.8 out of 10.

Classified under CWE-306, the vulnerability stems from a “Missing Authentication for Critical Function” error within the drone’s flight software.

CISA formally published the advisory under identifier ICSA-26-090-02 on March 31, 2026.c

PX4 Autopilot is a widely adopted open-source flight control software used globally to manage drones and other autonomous vehicles.

The vulnerability exists in how the software handles communication through the MAVLink interface, a messaging protocol used to transmit commands and telemetry data between drones and ground control stations.

According to the CISA advisory, the MAVLink communication protocol does not require cryptographic authentication by default.

This means that when MAVLink 2.0 message signing is not enabled, any message including the SERIAL_CONTROL A command, which provides interactive shell access, can be sent by an unauthenticated party with access to the MAVLink interface.

An attacker who can reach that interface can issue arbitrary shell commands without needing a password or security key, effectively hijacking full control of the flight controller.

The vulnerability specifically impacts PX4 Autopilot version v1.16.0_SITL_latest_stable.

The Switzerland-headquartered PX4 Autopilot system is deployed globally, with CISA confirming that the affected critical infrastructure sectors include:

• Transportation Systems
• Emergency Services
• Defense Industrial Base

A successful remote drone takeover in these environments could lead to stolen surveillance data, disrupted emergency response efforts, or compromised defense operations.

The critical flaw was discovered and responsibly reported to CISA by security researcher Dolev Aviv from aviation cybersecurity firm Cyviation.

Cyviation specializes in proactive intelligence and monitoring solutions targeting cyber threats in aviation communication systems.

CISA and PX4 urge all operators and organizations to take immediate defensive action:

• Enable MAVLink 2.0 message signing for all non-USB communication links. This is the primary fix
• Restrict MAVLink interface access to trusted networks only
• Place control system networks behind firewalls and isolate them from business networks
• Use VPNs for any required remote access
• Monitor official PX4 and CISA channels for patch releases

As of publication, no known public exploitation specifically targeting this vulnerability has been reported to CISA.

However, given the critical CVSS score and the sensitive sectors involved, drone operators relying on the PX4 ecosystem should treat this as an urgent remediation priority.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Critical PX4 Autopilot Flaw Lets Hackers Take Control of Drones appeared first on Cyber Security News.