Cyber Resilience

CVE-2026-32713

MediumPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0010 27.9th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32713 is a medium-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Dronecode Px4 Drone Autopilot. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid…

more

sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Logic error bypasses MAVLink FTP session validation, enabling unauthenticated file read/write operations on the exposed autopilot service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

dronecode
px4 drone autopilot
1.17.0 · ≤ 1.17.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References