Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-60017

CVE-2025-60017: Unitree Robotics RCE Vulnerability

CVE-2025-60017 is a remote code execution vulnerability in Unitree Go2, G1, H1, and B2 robotic devices that enables root OS command injection. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-60017 Overview

CVE-2025-60017 is an operating system command injection vulnerability affecting Unitree Go2, G1, H1, and B2 robotic platforms through 2025-09-20. Attackers can inject arbitrary shell commands through the wifi_ssid or wifi_pass parameters processed by the hostapd_restart.sh script. The injection points reside within the restart_wifi_ap and restart_wifi_sta functions. Successful exploitation yields root-level command execution on the robot's onboard Linux system. The weakness is classified under [CWE-78] and has an adjacent-network attack vector.

Critical Impact

Attackers within wireless range can execute arbitrary commands as root on Unitree Go2, G1, H1, and B2 robots, gaining full control of the affected device.

Affected Products

  • Unitree Go2 quadruped robot (firmware through 2025-09-20)
  • Unitree G1 and H1 humanoid robots (firmware through 2025-09-20)
  • Unitree B2 quadruped robot (firmware through 2025-09-20)

Discovery Timeline

  • 2025-09-26 - CVE-2025-60017 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-60017

Vulnerability Analysis

The vulnerability resides in the hostapd_restart.sh shell script used to manage the robot's wireless access point and station configuration. The script accepts a Wi-Fi Service Set Identifier (SSID) and passphrase as parameters. These values are passed unsanitized to shell command constructs inside the restart_wifi_ap and restart_wifi_sta functions. An attacker supplying shell metacharacters such as backticks, semicolons, or command substitution syntax can break out of the intended argument context. The injected commands execute with root privileges because the wireless management scripts run under the robot's privileged service context. Public proof-of-concept material is available in the UniPwn GitHub repository, and additional context has been published in IEEE Spectrum's analysis.

Root Cause

The root cause is missing input validation and unsafe interpolation of user-controlled Wi-Fi parameters into shell command strings. Neither wifi_ssid nor wifi_pass is quoted or filtered before being passed to command invocations inside hostapd_restart.sh, allowing shell metacharacter injection.

Attack Vector

Exploitation requires adjacency to the robot on a wireless network segment where its Wi-Fi provisioning interface is reachable. The attacker submits crafted SSID or passphrase strings containing shell metacharacters through whichever provisioning path invokes hostapd_restart.sh. Because the script executes with elevated privileges, injected payloads run as root. The scope changes to include downstream sensors, actuators, cameras, and network interfaces controlled by the robot.

Detection Methods for CVE-2025-60017

Indicators of Compromise

  • Unexpected child processes spawned by hostapd_restart.sh or its parent Wi-Fi provisioning services.
  • SSID or passphrase values in configuration logs containing shell metacharacters such as ;, |, `, $(, or &&.
  • Outbound network connections initiated by the robot to unfamiliar hosts shortly after Wi-Fi reconfiguration events.
  • New or modified files under /tmp, /root, or /home on the robot that do not correspond to vendor firmware updates.

Detection Strategies

  • Inspect hostapd_restart.sh invocations for arguments containing shell metacharacters, quoting patterns, or command substitution syntax.
  • Correlate Wi-Fi configuration events with process execution telemetry to identify anomalous shells spawned from the wireless management path.
  • Baseline the robot's normal parent-child process tree and alert on deviations originating from network provisioning scripts.

Monitoring Recommendations

  • Forward robot syslog and process audit records to a centralized logging platform for retention and analysis.
  • Monitor the wireless management segment for hosts attempting to associate with the robot's provisioning interface using malformed SSID or passphrase values.
  • Alert on any successful root shell activity that follows a Wi-Fi reconfiguration event.

How to Mitigate CVE-2025-60017

Immediate Actions Required

  • Isolate affected Unitree Go2, G1, H1, and B2 robots on segmented wireless networks that block untrusted adjacent hosts.
  • Disable or restrict access to the robot's Wi-Fi provisioning interface when not actively in use.
  • Audit hostapd_restart.sh invocation logs for evidence of prior exploitation attempts using the UniPwn proof of concept.

Patch Information

No vendor advisory or patched firmware version was listed in the NVD entry at time of publication. Operators should monitor Unitree communications and the Hacker News discussion thread for updates, and apply firmware upgrades as they become available.

Workarounds

  • Operate affected robots only on isolated wireless networks with strong pre-shared keys and MAC allowlisting to limit adjacent access.
  • Where feasible, disable the built-in Wi-Fi access point mode and provision networking through wired interfaces only.
  • Restrict physical and wireless access to environments where trusted operators can supervise robot provisioning activity.
bash
# Example: place the robot on an isolated VLAN and block inbound access to its Wi-Fi provisioning service
iptables -A INPUT -i wlan0 -s 0.0.0.0/0 -j DROP
iptables -A INPUT -i wlan0 -s 192.168.50.0/24 -j ACCEPT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.