CVE-2026-1743
Authentication Bypass via Replay in DJI Enhanced Wi-Fi Pairing
Publication date: 2026-02-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dji | mavic_mini | to 01.00.0500 (inc) |
| dji | spark | to 01.00.0500 (inc) |
| dji | mini_se | to 01.00.0500 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-294 | A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1743 is a vulnerability in DJI Mavic Mini, Spark, and Mini SE drones affecting the Enhanced Wi-Fi Pairing component. It allows an attacker within the local network to perform an authentication bypass by capturing and replaying network traffic. The vulnerability exploits weak WEP encryption used in the Wi-Fi protocol, enabling the attacker to recover the WEP key and inject crafted packets that forcibly disconnect the drone from its remote controller. This causes a denial-of-service condition, disrupting control and telemetry between the drone and controller. The attack is complex but feasible and does not require prior authentication. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact users by causing a denial-of-service (DoS) condition on affected DJI drones, resulting in loss of control and telemetry between the drone and its remote controller. An attacker within wireless range can disconnect the drone at any time, whether it is grounded or airborne, potentially leading to crashes or loss of the drone. The disruption persists as long as the attacker continues to replay the crafted disconnect frames, affecting the availability and safe operation of the drone. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual IEEE 802.11 frame injection or replay attacks on the Enhanced Wi-Fi pairing channel used by DJI Mavic Mini, Spark, and Mini SE drones. Since the attack involves capturing and replaying WEP-encrypted frames, network sniffing tools like Wireshark or tcpdump can be used to capture wireless traffic and analyze for repeated or suspicious pairing frames. Additionally, using tools that can monitor for WEP key recovery attempts or abnormal disconnection frames on the wireless interface (e.g., mon0) may help detect exploitation attempts. Specific commands include using tcpdump to capture wireless traffic: `tcpdump -i mon0 -w capture.pcap` and analyzing the capture for repeated pairing frames or disconnect packets. Also, monitoring logs for unexpected drone disconnections or loss of telemetry may indicate an attack. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected DJI drones with models that do not use the vulnerable Enhanced Wi-Fi pairing protocol or have updated firmware that addresses this issue. Since the vulnerability exploits weak WEP encryption, avoiding use of the affected firmware version (up to 01.00.0500) is critical. There are no known vendor patches or fixes currently available. Limiting physical and wireless access to the local network where the drone operates can reduce the risk of attack. Additionally, monitoring for suspicious wireless activity and disabling Wi-Fi interfaces when not in use may help mitigate exploitation. Avoid flying the affected drones in environments where attackers could be within wireless range. [1]