Root OS Command Injection Vulnerability in Unitree Robot Devices
CVE-2025-60017

8.2HIGH

Key Information:

Vendor: Unitree
Status: Go2; G1; H1; B2
Vendor: CVE Published:; 26 September 2025

What is CVE-2025-60017?

The vulnerability in Unitree's Go2, G1, H1, and B2 devices allows for root OS command injection through improperly validated input in the hostapd_restart.sh script. This occurs when malicious actors manipulate the wifi_ssid or wifi_pass parameters during the restart process of the Wi-Fi access point. Exploitation of this flaw can lead to unauthorized access and control over the device's operating system, posing significant security risks to users.

Affected Version(s)

B2 0 <= 2025-09-20

G1 0 <= 2025-09-20

Go2 0 <= 2025-09-20

References

https://spectrum.ieee.org/unitree-robot-exploit

https://github.com/Bin4ry/UniPwn

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 26, 2025
Vulnerability Reserved
Sep 23, 2025

JSON