CVE-2025-35027

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-35027
Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script. All Unitree models use firmware derived from the same codebase (MIT Cheetah), and the two major forks are the G1 (humanoid) and Go2 (quadruped) branches.

7.3 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.2

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/Bin4ry/UniPwn
https://spectrum.ieee.org/unitree-robot-exploit
https://takeonme.org/cves/cve-2025-35027
https://www.cve.org/cverecord?id=CVE-2025-60017
https://www.cve.org/cverecord?id=CVE-2025-60250
https://x.com/committeeonccp/status/1971250635548033311
https://github.com/Bin4ry/UniPwn
Configurations

No configuration.

History

30 Sep 2025, 18:15

Type Values Removed Values Added
References () https://github.com/Bin4ry/UniPwn - () https://github.com/Bin4ry/UniPwn -

26 Sep 2025, 16:15

Type Values Removed Values Added
Summary (en) Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script. (en) Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script. All Unitree models use firmware derived from the same codebase (MIT Cheetah), and the two major forks are the G1 (humanoid) and Go2 (quadruped) branches.

26 Sep 2025, 08:15

Type Values Removed Values Added
References
  • {'url': 'https://https://takeonme.org/cves/cve-2025-35027', 'source': 'cve@takeonme.org'}
  • () https://takeonme.org/cves/cve-2025-35027 -

26 Sep 2025, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-09-26 07:15

Updated : 2025-09-30 18:15

NVD link : CVE-2025-35027

Mitre link : CVE-2025-35027

CVE.ORG link : CVE-2025-35027

JSON object : View

Products Affected

No product.

CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')