CVE-2026-27509
HIGHCVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
Analysis
Unitree Go2 robots running firmware versions V1.1.7-V1.1.9 and V1.1.11 (EDU) lack authentication controls on the DDS actuator API, allowing network-adjacent attackers to inject and execute arbitrary Python code as root by publishing a crafted message. Public exploit code exists for this vulnerability, which enables persistent code execution through controller keybindings that survive reboots. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Unitree Go2 robots and identify those running V1.1.7-V1.1.9 or V1.1.11 (EDU); isolate affected units from production networks and document their locations. Within 7 days: Restrict network access to affected robots using firewall rules to block DDS traffic on port 7400 (or relevant CycloneDDS ports) from untrusted networks; implement network segmentation to limit robot communication to trusted administrative subnets only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today