Back to Intelligence

CVE-2026-1579: PX4 Autopilot Remote Command Execution — Detection and Hardening Guide

SA
Security Arsenal Team
April 6, 2026
5 min read

CVE-2026-1579: PX4 Autopilot Remote Command Execution — Detection and Hardening Guide

Introduction

CISA has released ICS Advisory ICSA-26-090-02 detailing a critical vulnerability (CVE-2026-1579) in PX4 Autopilot. This is not a theoretical edge case; it is a CVSS 9.8 flaw impacting the Transportation Systems, Emergency Services, and Defense Industrial Base sectors. The vulnerability arises because the MAVLink communication protocol does not enforce cryptographic authentication by default. Consequently, an attacker with network access to the MAVLink interface can execute arbitrary shell commands on the autopilot controller without credentials, potentially hijacking the vehicle or causing catastrophic physical damage. Defenders must immediately assess their exposure to MAVLink interfaces and enforce strict signing configurations.

Technical Analysis

Affected Products:

  • PX4 Autopilot v1.16.0_SITL_latest_stable (and likely other versions utilizing standard MAVLink implementations without signing).

CVE Identifier: CVE-2026-1579 CVSS Score: 9.8 (Critical)

Vulnerability Mechanics: The PX4 Autopilot utilizes the MAVLink (Micro Air Vehicle Link) protocol for communication between ground control stations (GCS) and the vehicle. While MAVLink 2.0 supports message signing to verify the source of commands, this feature is disabled by default.

The attack chain is efficient:

  1. Recon: An attacker identifies a target MAVLink interface (typically UDP ports 14550 or 14540) within broadcast range or a compromised network segment.
  2. Injection: The attacker sends specifically crafted MAVLink packets containing shell commands.
  3. Execution: Because the autopilot accepts unsigned commands, it processes the payload and executes the command at the OS level (e.g., NuttX or Linux shell).
  4. Compromise: The attacker gains full control over the flight controller, enabling manipulation of flight dynamics, sensor data, or complete shutdown.

Exploitation Status: While specific in-the-wild exploitation has not been publicly confirmed at the time of this advisory, the barrier to entry is low. Tools to generate MAVLink traffic are widely available, and the lack of authentication makes scanning and exploitation trivial.

Detection & Response

SIGMA Rules

YAML
---
title: Potential MAVLink Unauthorized Access from Unknown IP
id: 8a2b3c4d-1e2f-4a5b-8c6d-1e2f3a4b5c6d
status: experimental
description: Detects inbound network connections on standard MAVLink ports from IP addresses outside of known Ground Control Station subnets.
references:
  - https://cisa.gov/news-events/ics-advisories/icsa-26-090-02
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    DestinationPort:
      - 14550
      - 14540
    Protocol|contains: 'udp'
  filter_known_gcs:
    SourceIpAddress|cidr:
      - '10.0.0.0/8'     # Example: Private internal network
      - '192.168.0.0/16' # Example: GCS subnet
      - '172.16.0.0/12'  # Example: Drone link local
  condition: selection and not filter_known_gcs
falsepositives:
  - Legitimate GCS connecting from a new IP
  - Network scanning tools used by engineers
level: high
---
title: PX4 Autopilot Process Spawning Shell
id: 9c3d4e5f-2f3g-5b6c-9d7e-2f3g4b5c6d7e
status: experimental
description: Detects the PX4 autopilot process spawning a shell (sh/bash), indicating potential successful exploitation of command execution vulnerabilities.
references:
  - https://cisa.gov/news-events/ics-advisories/icsa-26-090-02
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  parent:
    ParentImage|endswith: '/px4'
  child:
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/dash'
  condition: parent and child
falsepositives:
  - Legitimate debugging by developers
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for anomalous MAVLink traffic sources
DeviceNetworkEvents
| where RemotePort in (14550, 14540)
| where Protocol == "UDP"
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by RemoteIP, DeviceName, InitiatingProcessFileName
| where Count > 1000 // MAVLink is chatty, look for sustained connections or spikes
| sort by Count desc
| extend Reason = "High volume of MAVLink traffic detected from source IP"

Velociraptor VQL

VQL — Velociraptor
-- Hunt for PX4 process and check for child shell processes
SELECT 
  Parent.Name AS ParentProcess, 
  Pid, 
  Name AS ProcessName, 
  CommandLine, 
  Exe 
FROM pslist()
WHERE Parent.Name =~ "px4"
  AND Name =~ "sh"

-- Identify listening sockets on MAVLink ports
SELECT Uid, RemoteAddr, RemotePort, L4Protocol, State, ProcessName
FROM netstat()
WHERE RemotePort IN (14550, 14540)
  AND State =~ "LISTEN"

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# PX4 Hardening Audit Script
# Checks for open MAVLink ports and advises on signing

echo "[*] Starting PX4 Security Audit..."

# 1. Check for listening MAVLink ports
MAVLINK_PORTS=$(netstat -tuln 2>/dev/null | grep -E ':14550|:14540')

if [ -z "$MAVLINK_PORTS" ]; then
    echo "[+] No standard MAVLink ports (14550/14540) found listening."
else
    echo "[!] WARNING: Open MAVLink ports detected:"
    echo "$MAVLINK_PORTS"
    echo "[!] ACTION REQUIRED: Ensure these ports are firewalled or require MAVLink 2.0 signing."
fi

# 2. Check for PX4 process
PX4_PROCESS=$(pgrep px4)
if [ -z "$PX4_PROCESS" ]; then
    echo "[+] PX4 process not running on this host."
else
    echo "[+] PX4 process found (PID: $PX4_PROCESS). Ensure MAVLink 2.0 signing is enabled in params."
    echo "    To enable, set parameter: MAV_LINK_SIGNING = 1"
fi

echo "[*] Audit complete."

Remediation

To mitigate CVE-2026-1579 and secure autonomous systems against unauthorized command execution, apply the following defensive measures immediately:

  1. Enable MAVLink 2.0 Message Signing: This is the primary remediation. Configure the PX4 system to accept only signed packets. This involves setting the MAV_LINK_SIGNING parameter to 1 (enabled) and distributing the secret key securely to your Ground Control Station (GCS).
  2. Network Segmentation: Ensure MAVLink communication ports (UDP 14550, 14540) are not accessible from the public internet. Use VLANs or firewall rules to restrict traffic to known, physical GCS IPs only.
  3. Physical Security: Restrict physical access to the vehicle's telemetry ports. An attacker with physical access can inject commands via USB/Serial interfaces if signing is not enforced.
  4. Vendor Update: Monitor the PX4 Autopilot official repository and CISA advisories for a patched firmware release that defaults to stricter security settings.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socthreat-intelmanaged-socpx4cve-2026-1579icsmavlinkcritical-infrastructure

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action