CVE-2026-32713 is a vulnerability identified in the PX4-Autopilot, an open-source flight control software widely used in drones. The issue stems from a logic error in the MAVLink FTP session validation mechanism prior to version 1.17.0-rc2. Specifically, the code incorrectly uses a logical AND (&&) operator instead of a logical OR (||) when validating session states. This flaw allows BurstReadFile and WriteFile operations to proceed even when sessions are invalid or file descriptors are closed. Consequently, an unauthenticated attacker can bypass session isolation checks and trigger operations on invalid file descriptors, potentially causing the FTP subsystem to enter an inconsistent or unstable state. Although the vulnerability does not directly compromise confidentiality or integrity, it can degrade availability by disrupting file transfer operations within the autopilot system. The vulnerability requires no authentication or user interaction, increasing the risk of remote exploitation. The PX4 project addressed this issue in version 1.17.0-rc2 by correcting the boolean logic to properly enforce session validation. No public exploits have been reported to date, but the flaw presents a risk to drone operations relying on affected PX4 versions.

The primary impact of this vulnerability is on the availability and stability of the PX4 autopilot's FTP subsystem. An attacker exploiting this flaw can cause inconsistent states and potentially disrupt file transfer operations critical for drone firmware updates or configuration management. While the vulnerability does not allow direct data theft or modification, the disruption of FTP operations could delay or prevent essential maintenance tasks, indirectly affecting drone mission reliability and safety. Organizations operating drones with affected PX4 versions may experience operational interruptions, especially in environments where remote updates or file transfers are frequent. Given the unauthenticated nature of the exploit, attackers with network access to the MAVLink FTP service could trigger these disruptions remotely. This could be particularly impactful in commercial, industrial, or defense drone deployments where uptime and reliability are critical. However, the medium CVSS score reflects the limited scope and impact on confidentiality and integrity.

Organizations should upgrade PX4-Autopilot to version 1.17.0-rc2 or later, where the logic error is corrected. Until upgrades can be applied, network-level controls should be implemented to restrict access to the MAVLink FTP service, limiting exposure to trusted entities only. Employing network segmentation and firewall rules to isolate drone control and management interfaces reduces the attack surface. Monitoring MAVLink FTP session logs for unusual or repeated invalid session attempts can help detect exploitation attempts. Additionally, drone operators should validate firmware and configuration files through cryptographic signatures to mitigate risks from potential file manipulation. Incorporating anomaly detection on drone communication channels may provide early warnings of exploitation attempts. Finally, maintaining an incident response plan specific to drone system disruptions will help organizations respond effectively if exploitation occurs.