CVE-2026-8153: Universal Robots PolyScope RCE Vulnerability

CVE-2026-8153 Overview

CVE-2026-8153 is an operating system command injection vulnerability in the Dashboard Server interface of Universal Robots PolyScope versions prior to 5.25.1. The flaw allows an unauthenticated network attacker to craft commands that execute arbitrary code on the robot's underlying operating system. The Dashboard Server is a network-exposed control interface used to manage robot programs, and improper sanitization of input passed to OS-level commands enables full compromise of the controller. Successful exploitation grants attackers full control over the robot's behavior, configuration, and any connected industrial process.

Critical Impact

Unauthenticated attackers reachable on the network can execute arbitrary OS commands on Universal Robots controllers, leading to complete loss of confidentiality, integrity, and availability of the robot.

Affected Products

• Universal Robots PolyScope versions prior to 5.25.1
• Universal Robots controllers exposing the Dashboard Server interface
• Industrial deployments using affected PolyScope releases on CB-series and e-Series robots

Discovery Timeline

• 2026-05-08 - CVE-2026-8153 published to the National Vulnerability Database
• 2026-05-11 - Last updated in NVD database

Technical Details for CVE-2026-8153

Vulnerability Analysis

The vulnerability is classified under CWE-78, Improper Neutralization of Special Elements used in an OS Command. The Dashboard Server interface in PolyScope accepts text-based commands over a network socket to control robot operations. The flaw exists because user-supplied input is concatenated into shell commands without proper neutralization of metacharacters.

An attacker capable of reaching the Dashboard Server port can submit a crafted command containing shell metacharacters. The injected payload executes in the context of the PolyScope process on the robot's controller operating system. No authentication is required, and the attack can be executed remotely across the network segment that exposes the interface.

The EPSS score of 1.532% (81.5th percentile) indicates measurable exploitation likelihood relative to other published CVEs.

Root Cause

The root cause is missing input validation and sanitization in the command parser of the Dashboard Server. Input received over the network is passed to OS-level command execution without escaping or allow-list filtering. The interface also lacks authentication, removing any barrier between a network attacker and code execution.

Attack Vector

The attack vector is network-based. An attacker connects to the Dashboard Server TCP port and sends a crafted command string that includes shell metacharacters such as semicolons, backticks, or pipe characters. The injected operating system command runs with the privileges of the Dashboard Server process. Refer to the Universal Robots Dashboard Server documentation for protocol details that describe legitimate command syntax.

No verified public proof-of-concept code is available at the time of publication. The vulnerability mechanism is described in prose because no validated exploit examples have been released.

Detection Methods for CVE-2026-8153

Indicators of Compromise

• Unexpected outbound network connections originating from Universal Robots controllers
• Dashboard Server log entries containing shell metacharacters such as ;, |, &&, or backticks within command parameters
• Unauthorized processes spawned by the PolyScope service on the robot controller
• Modifications to robot programs, installation files, or system configuration without operator action

Detection Strategies

• Inspect network traffic to the Dashboard Server port for command strings containing shell metacharacters or non-protocol payloads
• Monitor PolyScope logs for malformed Dashboard Server requests and authentication-less command sequences from unfamiliar source addresses
• Baseline normal Dashboard Server command traffic and alert on deviations in command syntax, source IP, or frequency

Monitoring Recommendations

• Forward robot controller and network sensor logs to a centralized SIEM for correlation across operational technology and information technology environments
• Alert on any new TCP session to Dashboard Server ports from outside an allow-listed engineering workstation range
• Track process creation events on the controller OS where supported, focusing on shells or interpreters launched by the PolyScope service

How to Mitigate CVE-2026-8153

Immediate Actions Required

• Upgrade Universal Robots PolyScope to version 5.25.1 or later on all affected controllers
• Isolate robot controllers on a segmented network reachable only from authorized engineering systems
• Block external and untrusted internal access to the Dashboard Server port at the firewall
• Inventory all Universal Robots deployments and confirm PolyScope version on each controller

Patch Information

Universal Robots addresses the vulnerability in PolyScope version 5.25.1. Operators must apply the vendor-supplied update to remove the command injection flaw in the Dashboard Server interface. Consult Universal Robots support channels for the specific firmware package matching each controller model.

Workarounds

• Restrict Dashboard Server network exposure using firewall rules or VLAN segmentation until patching is complete
• Disable the Dashboard Server interface where it is not required for production operations
• Place robot controllers behind an industrial demilitarized zone with explicit allow-listing of management hosts

# Example firewall rule restricting Dashboard Server access (port 29999)
# to a single engineering workstation
iptables -A INPUT -p tcp --dport 29999 -s 10.10.20.5 -j ACCEPT
iptables -A INPUT -p tcp --dport 29999 -j DROP