Search

Find a vulnerability

Search criteria

    1 vulnerability by Unitree

    GCVE-1337-2025-000000000… (CVE-2025-35027)

    Vulnerability from gna-1337 – Published: 2025-09-26 06:53 – Updated: 2025-09-26 15:16
    VLAI
    Title
    Unitree Multiple Robotic Products Command Injection
    Summary
    Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script. All Unitree models use firmware derived from the same codebase (MIT Cheetah), and the two major forks are the G1 (humanoid) and Go2 (quadruped) branches.
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Unitree Go2 Affected: 0 , ≤ 1.1.7 (semver)
    Create a notification for this product.
    Unitree G1 Affected: 0 , ≤ 1.6.0 (semver)
    Create a notification for this product.
    Date Public
    2025-09-26 06:41
    Credits
    Andreas Makris Kevin Finisterre Konstantin Severov todb

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Go2",
              "vendor": "Unitree",
              "versions": [
                {
                  "lessThanOrEqual": "1.1.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "G1",
              "vendor": "Unitree",
              "versions": [
                {
                  "lessThanOrEqual": "1.6.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Andreas Makris"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Kevin Finisterre"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Konstantin Severov"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "todb"
            }
          ],
          "datePublic": "2025-09-26T06:41:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script.\u0026nbsp;All Unitree models use firmware derived from the same codebase (MIT Cheetah), and the two major forks are the G1 (humanoid) and Go2 (quadruped) branches."
                }
              ],
              "value": "Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script.\u00a0All Unitree models use firmware derived from the same codebase (MIT Cheetah), and the two major forks are the G1 (humanoid) and Go2 (quadruped) branches."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A proof-of-concept has been published at the referenced UniPwn Github repo."
                }
              ],
              "value": "A proof-of-concept has been published at the referenced UniPwn Github repo."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-26T15:16:57.586Z",
            "orgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
            "shortName": "AHA"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://takeonme.org/cves/cve-2025-35027"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/Bin4ry/UniPwn"
            },
            {
              "tags": [
                "media-coverage"
              ],
              "url": "https://spectrum.ieee.org/unitree-robot-exploit"
            },
            {
              "tags": [
                "government-resource"
              ],
              "url": "https://x.com/committeeonccp/status/1971250635548033311"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/cverecord?id=CVE-2025-60017"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/cverecord?id=CVE-2025-60250"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unitree Multiple Robotic Products Command Injection",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
        "assignerShortName": "AHA",
        "cveId": "CVE-2025-35027",
        "datePublished": "2025-09-26T06:53:49.585Z",
        "dateReserved": "2025-04-15T20:41:31.524Z",
        "dateUpdated": "2025-09-26T15:16:57.586Z",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }