CVE-2026-27509

Опубликовано: 26 фев. 2026

Источник: nvd

CVSS3: 8

EPSS Низкий

Описание

Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.

Ссылки

https://boschko.ca/unitree-go2-rce/
Exploit
Third Party Advisory
https://shop.unitree.com/products/unitree-go2
Product
https://www.vulncheck.com/advisories/unitree-go2-missing-dds-authentication-enables-adjacent-rce
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:unitree:go2_firmware:*:*:*:*:*:*:*:*

Версия от 1.1.7 (включая) до 1.1.9 (включая)

cpe:2.3:h:unitree:go2:-:*:*:*:*:*:*:*

Конфигурация 2

Одновременно

cpe:2.3:o:unitree:go2_edu_firmware:1.1.11:*:*:*:*:*:*:*

cpe:2.3:h:unitree:go2_edu:-:*:*:*:*:*:*:*

EPSS

Процентиль: 38%

0.00481

Низкий

8 High

CVSS3

Дефекты

CWE-306

Связанные уязвимости

GHSA-hcv4-2wj7-9p5g

CVSS3: 8

github

4 месяца назад

Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.

EPSS

Процентиль: 38%

0.00481

Низкий

8 High

CVSS3

Дефекты

CWE-306