CVE-2025-35027 — HIGH (7.3)

Q: How severe is CVE-2025-35027?

CVE-2025-35027 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-35027?

Check the references section above for vendor advisories and patch information. Affected products include: Unitree G1 Firmware, Unitree G1, Unitree Go2 Firmware, Unitree Go2, Unitree H1 Firmware.

Vulnerability Description

Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script. All Unitree models use firmware derived from the same codebase (MIT Cheetah), and the two major forks are the G1 (humanoid) and Go2 (quadruped) branches.

CVSS Score

7.3

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Unitree	G1 Firmware	<= 1.4.4
Unitree	G1	-
Unitree	Go2 Firmware	<= 1.1.8
Unitree	Go2	-
Unitree	H1 Firmware	<= 1.4.4
Unitree	H1	-
Unitree	B2 Firmware	<= 1.1.8
Unitree	B2	-

Related Weaknesses (CWE)

CWE-78

References

https://github.com/Bin4ry/UniPwnExploitTechnical Description
https://spectrum.ieee.org/unitree-robot-exploitPress/Media Coverage
https://takeonme.org/cves/cve-2025-35027ExploitThird Party Advisory
https://www.cve.org/cverecord?id=CVE-2025-60017Third Party Advisory
https://www.cve.org/cverecord?id=CVE-2025-60250Third Party Advisory
https://x.com/committeeonccp/status/1971250635548033311Press/Media Coverage
https://github.com/Bin4ry/UniPwnExploitTechnical Description

FAQ

What is CVE-2025-35027?

CVE-2025-35027 is a vulnerability with a CVSS score of 7.3 (HIGH). Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the...

How severe is CVE-2025-35027?

CVE-2025-35027 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-35027?

Check the references section above for vendor advisories and patch information. Affected products include: Unitree G1 Firmware, Unitree G1, Unitree Go2 Firmware, Unitree Go2, Unitree H1 Firmware.