CVE-2025-15150 is a stack-based buffer overflow vulnerability identified in the PX4-Autopilot software, a widely used open-source flight control software for drones and unmanned vehicles. The vulnerability resides in the MavlinkLogHandler module, specifically within the functions state_listing and log_entry_from_id located in the source file src/modules/mavlink/mavlink_log_handler.cpp. These functions improperly handle input data, leading to a stack-based buffer overflow condition when processing log entries. This memory corruption flaw can be triggered by an attacker with local access to the system running PX4-Autopilot, requiring only limited privileges (PR:L) and no user interaction (UI:N). The overflow could potentially allow an attacker to execute arbitrary code or cause a denial of service by crashing the autopilot software, which could have safety implications for drone operations. The vulnerability affects all PX4-Autopilot versions from 1.0 through 1.16.0. The vendor has released a patch identified by commit 338595edd1d235efd885fd5e9f45e7f9dcf4013d to address this issue. The CVSS v4.0 base score is 4.8, reflecting a medium severity due to the local attack vector and limited impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild as of the publication date. The vulnerability underscores the risks associated with local access to embedded autopilot systems and the need for strict access controls and timely patching.

For European organizations, the impact of CVE-2025-15150 primarily concerns entities operating drones or unmanned vehicles that utilize PX4-Autopilot software. A successful exploitation could lead to denial of service or potentially arbitrary code execution on the autopilot system, risking mission failure, loss of control, or safety hazards. This could affect commercial drone operators, research institutions, and defense contractors. The local access requirement limits remote exploitation but insider threats or compromised local systems could still pose risks. Disruption of drone operations could impact logistics, surveillance, agriculture, and emergency response sectors. Additionally, compromised autopilot systems could be leveraged to conduct unauthorized surveillance or sabotage. The medium severity score suggests moderate risk, but the safety-critical nature of drone control systems elevates the operational impact beyond typical IT systems. Therefore, European organizations should treat this vulnerability seriously to maintain operational integrity and safety compliance.

To mitigate CVE-2025-15150, European organizations should immediately apply the official patch released by the PX4 project, identified by commit 338595edd1d235efd885fd5e9f45e7f9dcf4013d, to all affected PX4-Autopilot versions up to 1.16.0. Beyond patching, organizations should enforce strict local access controls to PX4 systems, including physical security measures and user authentication to prevent unauthorized local access. Implement role-based access control (RBAC) and limit the number of users with local system privileges. Regularly audit and monitor local system access logs for suspicious activity. Employ runtime protections such as stack canaries and address space layout randomization (ASLR) where supported by the PX4 platform. Conduct thorough testing of autopilot software updates in controlled environments before deployment. Additionally, organizations should establish incident response plans specific to drone system compromises and ensure personnel are trained to recognize and respond to anomalies in drone behavior that could indicate exploitation.