Missing TLS (HTTPS) certificate validation during firmware update in DroneScout ds230 Remote ID receiver from BlueMark Innovations
Description
DroneScout ds230 Remote ID receiver from BlueMark Innovations is affected by an Improper Authentication vulnerability during the firmware update procedure.
Specifically, the firmware update procedure ignores and does not check the validity of the TLS certificate of the HTTPS endpoint from which the firmware update package (.tar.bz2 file) is downloaded. An attacker with the ability to put himself in a Man-in-the-Middle situation (e.g., DNS poisoning, ARP poisoning, control of a node on the route to the endpoint, etc.) can trick the DroneScout ds230 to install a crafted malicious firmware update containing arbitrary files (e.g., executable and configuration) and gain administrative (root) privileges on the underlying Linux operating system. This issue affects DroneScout ds230 firmware from version 20211210-1627 through 20230329-1042.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DroneScout ds230 firmware update fails to validate TLS certificate, allowing MITM to install malicious firmware and gain root access.
Vulnerability
DroneScout ds230 Remote ID receiver from BlueMark Innovations is affected by an Improper Authentication vulnerability during the firmware update procedure. The firmware update process ignores and does not check the validity of the TLS certificate of the HTTPS endpoint from which the firmware update package (.tar.bz2 file) is downloaded. This affects DroneScout ds230 firmware versions from 20211210-1627 through 20230329-1042 [1][2].
Exploitation
An attacker with the ability to perform a Man-in-the-Middle attack (e.g., via DNS poisoning, ARP poisoning, or control of a node on the network route) can trick the DroneScout ds230 into downloading a crafted malicious firmware update. No prior authentication or user interaction is required beyond positioning themselves in the network path [2].
Impact
Successful exploitation allows the attacker to install arbitrary files (e.g., executables and configuration) and gain administrative (root) privileges on the underlying Linux operating system of the DroneScout ds230 [2].
Mitigation
Update the DroneScout ds230 firmware to a version newer than 20230329-1042. The firmware history indicates that later versions, such as 20250624-1146 and newer, include security improvements [1]. [2] confirms that upgrading to a version beyond the affected range resolves the issue.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=20211210-1627 <=20230329-1042
- bluemark/ds230v5Range: 20211210-1627
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.