Command Injection Vulnerability in Unitree Robotic Products
CVE-2025-35027

7.3HIGH

Key Information:

Vendor

Unitree

Status
Go2
G1
Vendor
CVE Published:
26 September 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-35027?

Multiple robotic devices by Unitree, such as the Go2, G1, H1, and B2, contain a command injection vulnerability due to shared firmware. Malicious actors can exploit this weakness by configuring the onboard WiFi through a BLE module, setting a harmful command string. After modifying the configuration, triggering a restart of the WiFi service allows the attacker to execute commands with root privileges via the wpa_supplicant_restart.sh shell script, potentially compromising the integrity and security of the robotic systems.

Affected Version(s)

G1 0 <= 1.6.0

Go2 0 <= 1.1.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-35027 - Proof of Concept

References

https://https://takeonme.org/cves/cve-2025-35027
third-party-advisory
https://github.com/Bin4ry/UniPwn
technical-description
https://spectrum.ieee.org/unitree-robot-exploit
media-coverage

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andreas Makris
Kevin Finisterre
Konstantin Severov
todb
JSON
.
CVE-2025-35027 : Command Injection Vulnerability in Unitree Robotic Products