Dolev Aviv

**Name of the Vulnerable Software and Affected Versions** PX4 Autopilot (affected versions not specified) **Description** The MAVLink communication protocol, as used by PX4 Autopilot, does not require cryptographic authentication by default. Without MAVLink 2.0 message signing enabled, unauthenticated parties with access to the MAVLink interface can send messages, including the `SERIAL CONTROL` message which provides interactive shell access. Enabling MAVLink 2.0 message signing in PX4 provides cryptographic authentication and rejects unsigned messages at the protocol level. The `SERIAL CONTROL` message allows for remote shell access. **Recommendations** Enable MAVLink 2.0 message signing to provide cryptographic authentication for all MAVLink communication.