CVE-2026-27509 Overview
CVE-2026-27509 is a critical missing authentication vulnerability affecting Unitree Go2 robotic dog firmware. The vulnerability exists because the Eclipse CycloneDDS implementation in Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) does not implement DDS authentication or authorization for the rt/api/programming_actuator/request topic handled by actuator_manager.py. This allows a network-adjacent, unauthenticated attacker to join DDS domain 0 and publish malicious messages containing arbitrary Python code, which the robot writes to disk and executes as root when a physical controller keybinding is pressed.
Critical Impact
An unauthenticated attacker on the adjacent network can achieve persistent remote code execution as root on the Unitree Go2 robot, with malicious code surviving reboots.
Affected Products
- Unitree Go2 Firmware V1.1.7
- Unitree Go2 Firmware V1.1.8
- Unitree Go2 Firmware V1.1.9
- Unitree Go2 Firmware V1.1.11 (EDU)
Discovery Timeline
- 2026-02-26 - CVE-2026-27509 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27509
Vulnerability Analysis
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The Unitree Go2 firmware fails to implement any form of authentication or authorization on the DDS (Data Distribution Service) communication layer used for robot programming and control. The Eclipse CycloneDDS middleware, which facilitates real-time data exchange between components, accepts messages from any participant that joins DDS domain 0 without verifying identity or permissions.
The actuator_manager.py script processes messages on the rt/api/programming_actuator/request topic and specifically handles api_id=1002 requests by writing the payload content directly to disk under /unitree/etc/programming/. This content is then bound to a physical controller keybinding. The combination of unauthenticated DDS access and direct code execution creates a severe attack surface for adjacent network adversaries.
Root Cause
The root cause is the complete absence of DDS security features in the Unitree Go2 firmware implementation. The Eclipse CycloneDDS framework supports authentication and access control mechanisms, but these were not configured or enabled in the affected firmware versions. Additionally, the actuator_manager.py script accepts and processes arbitrary Python code from network messages without any validation, sanitization, or integrity checking before writing to disk and binding to controller inputs.
Attack Vector
The attack requires network adjacency to the Unitree Go2 robot, typically achieved by connecting to the same local network or Wi-Fi segment. An attacker can join DDS domain 0 using standard DDS tooling or custom code, then publish a crafted message with api_id=1002 to the rt/api/programming_actuator/request topic. The message payload contains arbitrary Python code, which the robot stores in /unitree/etc/programming/ and associates with a physical controller keybinding.
When a user or the attacker triggers the associated keybinding on the robot's controller, the malicious Python code executes with root privileges. The persistence mechanism ensures the malicious binding survives reboots, providing long-term access to the compromised device. Technical details and analysis are available in the Boschko RCE Analysis.
Detection Methods for CVE-2026-27509
Indicators of Compromise
- Unexpected files appearing in the /unitree/etc/programming/ directory on the robot
- Unusual DDS traffic or new participants joining DDS domain 0 from unknown sources
- Modified controller keybindings or unexpected behavior when pressing controller buttons
- Evidence of Python script execution in system logs with unknown or suspicious code paths
Detection Strategies
- Monitor network traffic for unauthorized DDS domain 0 join requests from devices not part of the expected robot control infrastructure
- Implement file integrity monitoring on the /unitree/etc/programming/ directory to detect unauthorized file creation or modification
- Audit controller keybinding configurations regularly to identify suspicious or unexpected bindings
- Deploy network segmentation to isolate robotic systems and monitor cross-segment DDS traffic
Monitoring Recommendations
- Enable logging of DDS participant discovery and message publication events where supported
- Implement network access controls to restrict which devices can communicate with the Unitree Go2 on DDS ports
- Periodically review system logs for evidence of unexpected Python execution or root-level process spawning
How to Mitigate CVE-2026-27509
Immediate Actions Required
- Isolate affected Unitree Go2 robots on a dedicated network segment with strict access controls
- Audit the /unitree/etc/programming/ directory for unauthorized files and remove any suspicious entries
- Review and reset controller keybindings to remove potentially malicious configurations
- Limit physical and network access to the robot until a patch is available
Patch Information
No official patch information is currently available from Unitree. Organizations should monitor the Unitree Product Page and the VulnCheck Advisory for updates on firmware releases that address this vulnerability.
Workarounds
- Deploy network-level access controls to prevent unauthorized devices from joining the same network segment as the Unitree Go2
- Implement firewall rules to restrict DDS traffic (typically UDP ports 7400-7500 and multicast addresses) to authorized control systems only
- Physically secure the robot in controlled environments where network adjacency by untrusted parties is not possible
- Consider disabling Wi-Fi on the robot and using wired connections in controlled network environments where feasible
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
