References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

The MAVLink communication protocol does not require cryptographic 
authentication by default. When MAVLink 2.0 message signing is not 
enabled, any message -- including SERIAL_CONTROL, which provides 
interactive shell access -- can be sent by an unauthenticated party with
 access to the MAVLink interface. PX4 provides MAVLink 2.0 message 
signing as the cryptographic authentication mechanism for all MAVLink 
communication. When signing is enabled, unsigned messages are rejected 
at the protocol level.

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-306

https://docs.px4.io/main/en/mavlink/message_signing

https://docs.px4.io/main/en/mavlink/security_hardening

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-02.json

https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-02