CVE-2025-10250 is a vulnerability identified in certain DJI drone models, specifically the Mavic Spark, Mavic Air, and Mavic Mini running firmware version 01.00.0500. The weakness resides in an unspecified function within the Telemetry Channel component, where a hard-coded cryptographic key is used. This cryptographic key is embedded in the firmware and does not change, which can be exploited by an attacker who has access to the local network. The presence of a hard-coded key undermines the confidentiality and integrity of the telemetry data exchanged between the drone and its controller or other components. An attacker on the same local network could potentially intercept, decrypt, or manipulate telemetry data, leading to unauthorized control or data leakage. However, the attack complexity is high, meaning it requires significant skill and effort, and no user interaction or authentication is needed. The exploitability is considered difficult, and although an exploit is publicly available, the affected products are no longer supported by DJI, meaning no official patches or updates are provided. The CVSS 4.0 score is 2.3, reflecting a low severity primarily due to the high attack complexity, limited scope (local network only), and low impact on confidentiality, integrity, and availability. The vulnerability does not affect newer firmware versions or other DJI products.

For European organizations, the impact of this vulnerability is generally low but not negligible. Organizations using affected DJI drones for commercial, industrial, or recreational purposes could face risks of telemetry data interception or manipulation if an attacker gains access to the same local network. This could lead to privacy breaches, loss of sensitive flight data, or in rare cases, unauthorized drone control, potentially causing physical damage or safety hazards. Since the affected products are no longer supported, organizations relying on these models may be unable to secure their devices through official updates, increasing their exposure. However, the requirement for local network access and high attack complexity limits the likelihood of widespread exploitation. Critical infrastructure or sensitive operations using these drones in Europe should assess the risk carefully, especially in environments where local network security is weak or physical access to the network is possible.

Given the lack of official patches, European organizations should adopt specific mitigations: 1) Immediately discontinue use of affected DJI drone models in sensitive or critical operations and replace them with supported models running updated firmware. 2) Isolate drone control networks from general enterprise networks using VLANs or dedicated Wi-Fi segments with strong access controls to prevent unauthorized local network access. 3) Employ strong Wi-Fi security protocols (WPA3 where possible) and monitor for rogue devices or suspicious network activity around drone operation areas. 4) Physically secure drone operation zones to prevent attackers from gaining proximity to the local network. 5) Use network intrusion detection systems (NIDS) to detect anomalous telemetry traffic or attempts to exploit the vulnerability. 6) Educate drone operators about the risks of using outdated firmware and the importance of network security. 7) Consider encrypting telemetry data at higher layers or using VPN tunnels if supported by third-party tools to mitigate risks from the hard-coded key.