While 5G networks can maintain connectivity for unmanned aerial vehicles (UAVs), they fall short in meeting the stringent requirements of UAV control commands regarding timeliness, availability, and integrity, thereby compromising control reliability. This work constructs a reproducible testbed based on Open5GS and UERANSIM to systematically investigate this gap, revealing for the first time a fundamental mismatch between 5G connectivity guarantees and UAV control demands. The study uncovers novel cross-layer attack vectors—including co-located UE congestion, core network control-plane disruptions, and plaintext manipulation at the gNodeB—that enable adversaries to trigger UAV safety mechanisms or inject malicious commands without severing the communication link. These findings demonstrate that connectivity alone is insufficient to ensure the security of networked UAVs. Disclosed vulnerabilities have led to formal CVE assignments.

UAVs are increasingly deployed in critical applications and rely on 5G networks for long-range command-and-control (C2) connectivity. As the C2 channel is safety-critical, disruptions or manipulation of this communication channel may lead to loss of control, mission failure, or safety incidents. The architectural complexity of 5G standalone (SA) introduces logical attack surfaces that may affect such applications, yet the impact of logical vulnerabilities in the 5G architecture on UAV command-and-control carried over cellular infrastructure has received little attention. In this work, we develop a reproducible testbed that emulates 5G SA and integrates a UAV C2 channel using MAVLink over the 5G User Plane through Open5GS and UERANSIM. We define three threat models (rogue UE in the same slice and DNN, insider with access to the N4 interface, compromised gNodeB) and implement representative attacks. Our evaluation shows that a rogue UE can inject C2 commands and force the UAV to land; an insider can tear down PDU sessions via PFCP and trigger UAV failsafe; a compromised gNodeB can alter MAVLink navigation commands and redirect the UAV. The results demonstrate that logical attacks on the 5G architecture can compromise UAV C2 without breaking air-interface encryption, revealing cross-layer vulnerabilities between cellular infrastructure and UAV communication protocols. We provide a threat-model framework, experimental evidence, and mitigations (MAVLink signing, integrity protection on N3 and N4 interfaces) for operators and system designers deploying UAVs over 5G.