Remote Code Execution in Unitree Go2 Firmware by Unitree Robotics

CVE-2026-27509

What is CVE-2026-27509?

CVE-2026-27509 is a critical vulnerability affecting the Unitree Go2 firmware, specifically in versions V1.1.7 through V1.1.9 and V1.1.11 (EDU). The vulnerability arises from a lack of authentication or authorization when handling a specific DDS topic in the firmware. This oversight allows an unauthenticated attacker who is on the same network to exploit the vulnerability by crafting and publishing a malicious message. The message can contain arbitrary Python code, which, when executed, can lead to severe consequences due to the robot's ability to write the code to a persistent location in the system. Once the attacker sets a physical keybinding for this code and the binding is activated, the code executes with root privileges, posing significant security risks to any organization utilizing this technology.

Potential impact of CVE-2026-27509

1. Remote Code Execution: The vulnerability enables attackers to execute arbitrary code on the Unitree Go2 robot. This could allow for the manipulation of the robot, potentially leading to harmful physical actions or misuse of the machine.

2. Loss of Data Integrity: As attackers can write unauthorized code that persists across reboots, there is a risk of contamination or alteration of data within the system, undermining the integrity of robotic operations.

3. Compromise of Operational Security: With the ability to control the robot remotely, malicious actors could potentially disrupt critical operations, leading to financial losses, reputational damage, and possible liability issues for organizations that rely on Unitree robotics in their processes.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References