CVE-2025-9020 – This CVE describes a use-after-free vulnerabili... (How to Fix)

📋 TL;DR

This CVE describes a use-after-free vulnerability in PX4 Autopilot's Mavlink Shell Closing Handler component. An attacker with local access could potentially execute arbitrary code or cause denial of service by manipulating shell arguments. This affects PX4 Autopilot versions up to 1.15.4.

💻 Affected Systems

Products:

PX4 Autopilot

Versions: up to 1.15.4

Operating Systems: Linux-based drone flight controllers

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using Mavlink communication protocol with shell functionality enabled.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise, arbitrary code execution, or complete drone control takeover.

🟠

Likely Case

Application crash or denial of service affecting drone operations.

🟢

If Mitigated

Minimal impact due to local-only access requirement and high exploitation complexity.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Requires local access and manipulation of specific Mavlink messages; exploitation is known to be difficult.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 4395d4f00c49b888f030f5b43e2a779f1fa78708

Vendor Advisory: https://github.com/PX4/PX4-Autopilot/issues/25046

Restart Required: Yes

Instructions:

1. Update PX4 Autopilot to version after 1.15.4 or apply commit 4395d4f00c49b888f030f5b43e2a779f1fa78708
2. Rebuild and redeploy the firmware
3. Restart the flight controller

🔧 Temporary Workarounds

Disable Mavlink Shell

all

Disable shell functionality over Mavlink if not required

Set MAVLINK_SHELL_ENABLED parameter to 0

🧯 If You Can't Patch

Restrict physical and network access to flight controllers
Implement strict access controls for Mavlink communication

🔍 How to Verify

Check if Vulnerable:

Check PX4 version: if version ≤ 1.15.4 and Mavlink shell is enabled, system is vulnerable

Check Version:

px4-version or check firmware version in QGroundControl

Verify Fix Applied:

Verify commit 4395d4f00c49b888f030f5b43e2a779f1fa78708 is present in the codebase

📡 Detection & Monitoring

Log Indicators:

Unexpected process crashes in mavlink_receiver
Abnormal Mavlink shell termination messages

Network Indicators:

Unusual Mavlink SERIAL_CONTROL message patterns
Multiple shell session initiation attempts

SIEM Query:

process:px4 AND (event:crash OR error:"use after free")

📊 Metadata

CVE ID: CVE-2025-9020

CVSS v3 Score: 4.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-119

EPSS Score: 0.02% exploit probability (2.9th percentile)

Published: August 15, 2025

Last Updated: August 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9020, you might also want to check these: