CVE-2025-35027

HIGH EPSS 80.9%
Published Sep 26, 20259mo ago · Modified Jun 17, 20261w ago
7.3 CVSS 3.1
High
Find Similar
Published Sep 26, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script. All Unitree models use firmware derived from the same codebase (MIT Cheetah), and the two major forks are the G1 (humanoid) and Go2 (quadruped) branches.

CVSS Details

Base Score
7.3
Exploitability
2.1
Impact
5.2
Vector string
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector Adjacent
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
80.9% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 8

VendorProductVersionRange
unitreeg1_firmware* ≤1.4.4
unitreeg1*any
unitreego2_firmware* ≤1.1.8
unitreego2*any
unitreeh1_firmware* ≤1.4.4
unitreeh1*any
unitreeb2_firmware* ≤1.1.8
unitreeb2*any

References 6

  • github.com https://github.com/Bin4ry/UniPwn
    ExploitTechnical Description
  • spectrum.ieee.org https://spectrum.ieee.org/unitree-robot-exploit
    Press/Media Coverage
  • takeonme.org https://takeonme.org/cves/cve-2025-35027
    ExploitThird Party Advisory
  • cve.org https://www.cve.org/cverecord?id=CVE-2025-60017
    Third Party Advisory
  • cve.org https://www.cve.org/cverecord?id=CVE-2025-60250
    Third Party Advisory
  • x.com https://x.com/committeeonccp/status/1971250635548033311
    Press/Media Coverage

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.