CVE-2025-9020 is a use-after-free vulnerability identified in the PX4-Autopilot software, specifically affecting versions up to 1.15.4. The flaw resides in the MavlinkReceiver::handle_message_serial_control function within the src/modules/mavlink/mavlink_receiver.cpp file, which is part of the Mavlink Shell Closing Handler component. The vulnerability occurs due to improper handling of the _mavlink_shell argument, leading to a use-after-free condition. This type of vulnerability can cause undefined behavior, including potential memory corruption, crashes, or arbitrary code execution if exploited. However, exploitation requires local access to the system, and the attack complexity is considered high, making successful exploitation difficult. No user interaction is needed, but the attacker must have at least low privileges on the device. The vulnerability impacts confidentiality, integrity, and availability to a limited extent due to the local and complex nature of the attack vector. The issue has been addressed in a patch identified by commit 4395d4f00c49b888f030f5b43e2a779f1fa78708, and applying this patch is recommended to remediate the vulnerability. The CVSS v4.0 score is 2.0, reflecting a low severity rating, primarily due to the high attack complexity, local attack vector, and limited scope of impact. No known exploits are currently reported in the wild.

For European organizations utilizing PX4-Autopilot, particularly in sectors such as unmanned aerial vehicles (UAVs), drones, and robotics, this vulnerability poses a limited but tangible risk. Exploitation could lead to denial of service or potentially unauthorized code execution on the autopilot system, which may disrupt operations or compromise mission-critical functions. While the attack requires local access and is complex, insider threats or attackers gaining physical or network access to the device could leverage this flaw. The impact on confidentiality and integrity is low but non-negligible, especially for organizations relying on PX4 for sensitive or regulated operations such as infrastructure inspection, agriculture, or delivery services. Disruption or compromise of UAV control systems could have safety and operational consequences. Given the increasing adoption of PX4 in European drone applications, failure to patch this vulnerability could expose organizations to operational risks and regulatory scrutiny under frameworks like the EU Cybersecurity Act and NIS2 Directive.

European organizations should prioritize applying the official patch identified by commit 4395d4f00c49b888f030f5b43e2a779f1fa78708 to all affected PX4-Autopilot deployments. Beyond patching, organizations should enforce strict access controls to limit local access to PX4 devices, including physical security measures and network segmentation to prevent unauthorized local connectivity. Implementing robust authentication and authorization mechanisms for device management interfaces can reduce the risk of local exploitation. Regularly auditing and monitoring PX4 systems for anomalous behavior or unauthorized access attempts is advisable. Additionally, organizations should maintain an inventory of PX4 versions in use and establish update policies to ensure timely application of security patches. For critical UAV operations, consider deploying runtime protections such as memory safety tools or sandboxing to mitigate potential exploitation impacts. Training personnel on secure handling and operation of PX4-based systems will further reduce risk.