DJI Mavic 3 Wi-Fi Weak Credentials / QuickTransfer Key Derivation (CVE-2023-6951)

Assessment

CFSE Consequence Paths assesses DJI Mavic 3 Wi-Fi Weak Credentials / QuickTransfer Key Derivation (CVE-2023-6951) at CRITICAL — the worst of 2 risk paths (perception). The dominant consequence is exposure of sensor or biometric data.

Vulnerability

DJI Mavic 3 Wi-Fi Weak Credentials / QuickTransfer Key Derivation (CVE-2023-6951). Reported attack vector: Adjacent network (drone Wi-Fi range).

CFSE Consequence Paths analysis

The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.

PERCEPTION_PRIVACY → CRITICAL

CPATH:1.0-candidate/TT:PERCEPTION_PRIVACY/RE:2/EC:4/EX:2/PH:0/DP:4/AT:2/CH:2/SR:4/SX:2/OR:2/EV:2/LS:PATCH_AVAILABLE

Exposure EX=2 (reachability-bound) · bands PH=MONITOR · DP=CRITICAL · AT=ELEVATED → base CRITICAL · caps privacy-only cap → assessed CRITICAL.

• RE2 — adjacent Wi-Fi RF proximity (AV:A) plus operator using QuickTransfer (UI:R).
• EC4 — AC:L single-step PSK derivation from predictable inputs once known.
• DP4 — decrypted live drone telemetry/media = camera/nav/spatial perception state of an autonomous vehicle.
• perception_feeds_action — false: attacker only observes (C:H, I:N, A:N); no demonstrated injection back into flight/nav decisions.
• AT2 — bounded unauthorized access to drone network services, no control-plane/admin authority, no I/A impact.
• PH0 — no actuation/safety effect demonstrated.
• CH2 — + boundary_crossing: crosses app/device/RF boundary (joins device net, decrypts operator-device traffic) but no demonstrated cross-domain authority transfer.
• SR4 — weak key derivation is systematic across the affected model/firmware list (shared derivation scheme = portable technique).
• SX2 — per-device proximity-bound, must be in RF range of each target, not fleet-remote.
• OR2 — firmware update fixes it, no recall/key rotation across fleet.
• EV2 — report-backed (Nozomi writeup), LS PATCH_AVAILABLE. Not known exploited in wild.

DATA_PRIVACY → HIGH

CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:2/EC:4/EX:2/PH:0/DP:3/AT:2/CH:2/SR:4/SX:2/OR:2/EV:2/LS:PATCH_AVAILABLE

Exposure EX=2 (reachability-bound) · bands PH=MONITOR · DP=HIGH · AT=ELEVATED → base HIGH · caps privacy-only cap → assessed HIGH.

• Distinct terminal consequence: confidentiality of transferred media/files and exposure of drone network services (foothold), separate from live perception interception.
• RE2 — Wi-Fi range + operator QuickTransfer in use (AV:A, UI:R).
• EC4 — AC:L derive-PSK-and-join.
• DP3 — transferred media/recorded content and exposed service/op-state = sensitive proprietary/PII-class data rather than live world-model feed.
• AT2 — bounded network access to drone services, confidentiality-only, no admin/firmware/command authority (I:N, A:N).
• PH0 — no safety/physical effect.
• CH2 — + boundary_crossing: app-to-device-network-to-RF boundary crossing, foothold on services, but no demonstrated authority pivot to control.
• SR4 — derivation weakness reusable across affected firmware/models.
• SX2 — proximity-bound per target, not remote fleet mass-exploit.
• OR2 — vendor firmware update remedies.
• EV2 — report-backed, LS PATCH_AVAILABLE, no in-the-wild exploitation.

Published baseline

• v3.1 6.6 MEDIUM — CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N — Nozomi Networks via NVD

The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.

Sources

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6951