CVE-2023-6951

CVE-2023-6951 is a medium-severity vulnerability with a CVSS 3.x base score of 6.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-334.

Key facts

Description

A Use of Weak Credentials vulnerability affecting the Wi-Fi network generated by a set of DJI drones could allow a remote attacker to derive the WPA2 PSK key and authenticate without permission to the drone’s Wi- Fi network. This, in turn, allows the attacker to perform unauthorized interaction with the network services exposed by the drone and to potentially decrypt the Wi-Fi traffic exchanged between the drone and the Android/IOS device of the legitimate user during QuickTransfer mode. Affected models are Mavic 3 Pro until v01.01.0300, Mavic 3 until v01.00.1200, Mavic 3 Classic until v01.00.0500, Mavic 3 Enterprise until v07.01.10.03, Matrice 300 until v57.00.01.00, Matrice M30 until v07.01.0022 and Mini 3 Pro until v01.00.0620.

Frequently asked questions

What is CVE-2023-6951?
A Use of Weak Credentials vulnerability affecting the Wi-Fi network generated by a set of DJI drones could allow a remote attacker to derive the WPA2 PSK key and authenticate without permission to the drone’s Wi- Fi network. This, in turn, allows the attacker to perform unauthorized interaction with the network services exposed by the drone and to potentially decrypt the Wi-Fi traffic exchanged between the drone and the Android/IOS device of the legitimate user during QuickTransfer mode. Affected models are Mavic 3 Pro until v01.01.0300, Mavic 3 until v01.00.1200, Mavic 3 Classic until v01.00.0500, Mavic 3 Enterprise until v07.01.10.03, Matrice 300 until v57.00.01.00, Matrice M30 until v07.01.0022 and Mini 3 Pro until v01.00.0620.
How severe is CVE-2023-6951?
CVE-2023-6951 has a CVSS 3.x base score of 6.6, rated medium severity. It is exploitable over an adjacent network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2023-6951 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (21st percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2023-6951?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2023-6951 have an EU (EUVD) identifier?
Yes. CVE-2023-6951 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-59147.
When was CVE-2023-6951 published?
CVE-2023-6951 was published on 2024-04-02 and last updated on 2026-06-17.

References

Other CWE-334 vulnerabilities

Browse all CWE-334 vulnerabilities →