CVE-2024-33844 – This vulnerability in Parrot ANAFI USA drone fi... (How to Fix)

Q: What is the severity of CVE-2024-33844?

CVE-2024-33844 has a CVSS score of 7.5 (HIGH). This vulnerability in Parrot ANAFI USA drone firmware allows attackers to disrupt the connection between the controller and drone by sending specially crafted MAVLink MISSION_COUNT commands with invalid mission types. It affects users of Parrot ANAFI USA drones running vulnerable firmware versions, potentially causing loss of control during flight operations.

📋 TL;DR

This vulnerability in Parrot ANAFI USA drone firmware allows attackers to disrupt the connection between the controller and drone by sending specially crafted MAVLink MISSION_COUNT commands with invalid mission types. It affects users of Parrot ANAFI USA drones running vulnerable firmware versions, potentially causing loss of control during flight operations.

💻 Affected Systems

Products:

Parrot ANAFI USA drone

Versions: Firmware version 1.10.4

Operating Systems: Drone firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific firmware version; requires attacker to be within wireless communication range of the drone.

📦 What is this software?

Anafi Firmware by Parrot

View all CVEs affecting Anafi Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of drone control leading to crash, property damage, or injury if drone falls in populated areas.

🟠

Likely Case

Temporary disruption of drone operations requiring manual recovery or restart of connection.

🟢

If Mitigated

Minor service interruption with automatic reconnection protocols or manual recovery procedures.

🌐 Internet-Facing: LOW - Requires proximity to drone's wireless signal, not typically internet-exposed.

🏢 Internal Only: MEDIUM - Attackers within wireless range can disrupt operations but need specific timing and proximity.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending MAVLink packets to the drone's communication interface, which is typically unauthenticated for mission commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Parrot for updated firmware beyond 1.10.4

Vendor Advisory: https://forum.developer.parrot.com/t/cve-2024-33844-bugs-in-anafi-thermal-usa-firmware/22501

Restart Required: Yes

Instructions:

1. Check Parrot's official website or developer forum for firmware updates. 2. Download the latest firmware. 3. Connect drone to controller. 4. Apply firmware update through official Parrot app. 5. Restart drone and controller.

🔧 Temporary Workarounds

Restrict wireless access

all

Limit drone operations to controlled environments where unauthorized wireless devices cannot reach the drone.

Monitor MAVLink traffic

all

Implement network monitoring for unusual MAVLink MISSION_COUNT commands with invalid mission types.

🧯 If You Can't Patch

Operate drone only in physically secure areas where attackers cannot access wireless range.
Implement secondary control protocols or manual override systems for emergency recovery.

🔍 How to Verify

Check if Vulnerable:

Check drone firmware version in Parrot app settings; if version is 1.10.4, system is vulnerable.

Check Version:

Check firmware version in Parrot FreeFlight 6 USA app under Settings > My Devices > ANAFI USA

Verify Fix Applied:

After updating, verify firmware version shows a version higher than 1.10.4 in Parrot app.

📡 Detection & Monitoring

Log Indicators:

Unusual MAVLink command sequences
Multiple connection drops between controller and drone
MISSION_COUNT commands with mission type values outside 0,1,2

Network Indicators:

MAVLink packets with MISSION_COUNT command containing mission type 255 or other invalid values
Sudden increase in MAVLink traffic from unknown sources

SIEM Query:

MAVLink protocol analysis for mission_type field values outside expected range (0,1,2)

📊 Metadata

CVE ID: CVE-2024-33844

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-404

Published: May 3, 2024

Last Updated: March 13, 2025

🔗 References

http://anafi.com Not Applicable
http://nvd-cwe-other.com Broken Link
https://forum.developer.parrot.com/t/cve-2024-33844-bugs-in-anafi-thermal-usa-firmware/22501 Vendor Advisory
https://forum.developer.parrot.com/t/cve-2024-33844-bugs-in-anafi-thermal-usa-firmware/22501/1 Vendor Advisory
http://anafi.com Not Applicable
http://nvd-cwe-other.com Broken Link
https://forum.developer.parrot.com/t/cve-2024-33844-bugs-in-anafi-thermal-usa-firmware/22501 Vendor Advisory
https://forum.developer.parrot.com/t/cve-2024-33844-bugs-in-anafi-thermal-usa-firmware/22501/1 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33844, you might also want to check these: