Impact
The vulnerability in DroneAware's centralized server allows an attacker to pre‑register an account using a victim's email address with an attacker‑controlled password before the victim activates the account. When the legitimate user later activates their account by clicking the email verification link or logging in via Google SSO, the attacker’s password continues to be valid, resulting in silent and persistent account takeover without any notification to the victim. This flaw is identified as CWE‑287 (Improper Authentication) and CWE‑302 (Improper Validation of Authentication Errors).
Affected Systems
The affected system is the DroneAware server that backs the droneaware.io service, specifically the fduflyer:DroneAware-Node-Releases product. Node binaries and self-hosted detection nodes are not affected, and the server‑side patch was released on 2025‑05‑20. The vulnerability is limited to the server component; any installations that have applied the patch are no longer affected.
Risk and Exploitability
The CVSS score is 6.8, indicating a medium severity. The EPSS score is less than 1%, suggesting a very low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely remote, requiring only the ability to register an account with the target’s email address, a common action in most deployment scenarios. Once the victim activates their account, the attacker retains full access, with no detection or mitigation on the client side, meaning the exploit can remain undetected for an extended period.
OpenCVE Enrichment