Backdoor Vulnerability in Go1 Robot by Unitree Robotics
CVE-2025-2894

6.6MEDIUM

Key Information:

Vendor: Unitree
Status: Go1
Vendor: CVE Published:; 28 March 2025

What is CVE-2025-2894?

CVE-2025-2894 is a significant security vulnerability found in the Go1 Robot developed by Unitree Robotics, which is marketed as "The World's First Intelligent Bionic Quadruped Robot Companion of Consumer Level." This vulnerability reveals an undocumented backdoor that, if exploited, allows complete remote control of the robot by the manufacturer or anyone who possesses the correct API key. This poses a serious risk to organizations utilizing this robotic technology, as it could lead to unauthorized access and control over physical systems, compromising safety and operational integrity.

Technical Details

The Go1 robot integrates cloud-based remote access through the CloudSail service. This cloud service facilitates extensive remote functionalities, but the existence of a backdoor means that unauthorized entities could potentially gain access to the robot's controls. Technical analysis indicates that without proper safeguards, this backdoor poses a critical threat, as it bypasses standard security mechanisms intended to protect user access and data.

Potential Impact of CVE-2025-2894

Unauthorized Remote Control: The backdoor allows malicious actors or unauthorized third parties to take over the robot. This control could enable them to manipulate its actions, leading to unintended or harmful behaviors, jeopardizing not only the equipment but also the safety of individuals nearby.
Data Breach Risks: Organizations that use the Go1 Robot may be handling sensitive information through interactions with the device. The presence of an undetected backdoor increases the likelihood of data interception or manipulation, which can result in breaches of confidential information and loss of trust from clients and stakeholders.
Operational Disruptions: If exploited, the vulnerability can lead to significant operational disruptions. Compromised control of the Go1 Robot could affect production lines or services reliant on the robotics, leading to downtime, financial losses, and potential legal ramifications regarding safety and liability standards.

Affected Version(s)

Go1 2022_05_11_e0d0e617

References

https://github.com/MAVProxyUser/YushuTechUnitreeGo1/blob/...

technical-description

https://x.com/d0tslash/status/1730989109332607208

https://github.com/unitreerobotics/unitree_ros/issues/120

issue-tracking

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 28, 2025
Vulnerability Reserved
Mar 28, 2025

Credit

Andreas Makris

Kevin Finisterre

todb