Description
Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
Published: 2026-02-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Root-level Remote Code Execution via DDS authentication bypass
Action: Immediate Patch
AI Analysis

Impact

Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) expose a DDS topic without authentication, allowing an unauthenticated attacker on the same local network to publish a crafted message containing arbitrary Python code. The robot writes this code to disk and binds it to a physical controller key. When the key is pressed, the script runs as root and persists across reboots, granting the attacker persistent, full system control.

Affected Systems

The vulnerability affects UnitreeRobotics Unitree Go2 units running firmware V1.1.7, V1.1.8, V1.1.9, and the EDU variant V1.1.11. No other firmware versions are explicitly listed as affected.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not included in the CISA KEV catalog. The attack vector is network adjacent and requires no authentication; an attacker can simply join DDS domain 0 on the local network and publish the malicious payload. Persistence of the malicious keybinding across reboots, combined with execution as root, presents a severe threat if the device is exposed.

Generated by OpenCVE AI on April 16, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Unitree Go2 firmware to a version that implements DDS authentication for the "rt/api/programming_actuator/request" topic.
  • If a firmware update is unavailable, isolate the robot from the local network or block UDP traffic for DDS domain 0 to prevent unauthorized message publication.
  • Monitor the robot’s /unitree/etc/programming directory and controller keybindings for unexpected files or changes, and disable any newly created keybindings if discovered.

Generated by OpenCVE AI on April 16, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Unitree
Unitree go2
Unitree go2 Edu
Unitree go2 Edu Firmware
Unitree go2 Firmware
CPEs cpe:2.3:h:unitree:go2:-:*:*:*:*:*:*:*
cpe:2.3:h:unitree:go2_edu:-:*:*:*:*:*:*:*
cpe:2.3:o:unitree:go2_edu_firmware:1.1.11:*:*:*:*:*:*:*
cpe:2.3:o:unitree:go2_firmware:*:*:*:*:*:*:*:*
Vendors & Products Unitree
Unitree go2
Unitree go2 Edu
Unitree go2 Edu Firmware
Unitree go2 Firmware

Fri, 27 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Unitreerobotics
Unitreerobotics unitree Go2
Vendors & Products Unitreerobotics
Unitreerobotics unitree Go2

Thu, 26 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
Title Unitree Go2 Missing DDS Authentication Enables Adjacent RCE
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Unitree Go2 Go2 Edu Go2 Edu Firmware Go2 Firmware
Unitreerobotics Unitree Go2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-02-27T18:15:37.037Z

Reserved: 2026-02-19T19:51:07.327Z

Link: CVE-2026-27509

cve-icon Vulnrichment

Updated: 2026-02-27T17:53:43.111Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T20:31:38.447

Modified: 2026-03-12T20:17:02.667

Link: CVE-2026-27509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses