CVE-2025-35027: Unitree Robotics wpa_supplicant_restart.sh Command Injection#

AHA! has discovered an issue with the Go2, G1, H1, and B2 series robots (which includes both the quadraped and biped model lines) from Unitree, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on Friday, September 26, 2025. CVE-2025-35027 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

The GCVE identifier for this issue is GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010

Executive Summary#

By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script. This is an instance of CWE-78, “Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’),” and an estimate of the CVSS vectors is CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, which scores as an 7.3. The relevant SSVC vectors for this vulnerability are Exploitation: PoC and Technical Impact: Total.

Technical Details#

Affected robots expose, intentionally, a WiFi configuration interface over Bluetooth Low Energy (BLE), available for any authenticated user to configure. The values for the chosen SSID and the password for the on-board WiFi are ultimately passed to the restart script, in the form of:

sudo sh /unitree/module/network_manager/upper_bluetooth/wpa_supplicant_restart.sh "wifi_ssid wifi_pass"

Note the lack of escaping or other sanitization effort, so merely closing the first " and providing custom shell commands, smuggled as an SSID or password, is straightforward.

The original, complete disclosure can be found at the UniPwn GitHub repo (archived at archive.today).

The requirement for an “authenticated” user (and the related CVSS vector PR:L) is somewhat misleading, considering that CVE-2025-60250 (disclosed by MITRE in tandem with this issue) describes a trivially bypassed authentication mechanism (and of course, is itself PR:N).

A sufficient fix for CVE-2025-60250 would block this particular attack vector, though the issue of “any authenticated user” would still imply a privilege escalation since wpa_supplicant_restart.sh runs as root.

Note that CVE-2025-60017 mentions both functions restart_wifi_ap and restart_wifi_sta, but only mentions hostapd_restart.sh as a viable vector to trigger this issue. This is incorrect in the sense that it is blending two code paths for exploitation. CVE-2025-35027 (this issue) describes a unique, independently fixable (and triggerable) code path, and any forensic investigation involving this issue should be aware of the system() calls present in both shell scripts, hostapd_restart.sh and wpa_supplicant_restart.sh.

Attacker Value#

The most obvious attack chain would involve first pairing with the vulnerable robotic device over BLE. This is trivially accomplished by leveraging the bug described by CVE-2025-60250 and using the static key and IV:

AES_KEY = "df98b715d5c6ed2b25817b6f2554124a"
AES_IV  = "2841ae97419c2973296a0d4bdfe19a4f"

Once paired, the only “authentication” mechanism is to provide the string “unitree” as the handshake secret (as described by CVE-2025-60251. In other words, there is no authentication at all after pairing. It is entirely predicated on the correct AES key and IV, then testing for the decrypted “unitree” string value.

After an attacker pairs with an affected device, they can subsequently run any command on affected robots, as root, through poisoning the SSID or passphrase values. Since this would include echoing a file to the filesystem and executing the same), which makes this issue (when combined with CVE-2025-60250) extremely viral.

It’s important to note that a clever attacker can split their attack into 32 + 63 byte chunks over multiple associations and resetting the SSID and passphrase (or 32 + 64 bytes if the passphrase is composed solely of characters in the 0-9a-f range, but this would be madness for one extra byte of payload). This can be done by leveraging either, or both, CVE-2025-60017 and CVE-2025-35027.

Imagine a scenario where one robot is placed in range of a sufficiently motivated attacker, such as a hostage situation or a bomb defusing (both being reported uses of Unitree robots). The attacker could take complete control of the robot, then walk the robot toward other similarly vulnerable robots, and automatically place those robots under the attacker’s control as soon as they’re in range of the Patient Zero robot.

Robots compromised in this way can endanger the lives, health, and property of their authorized operators and bystanders, as well as serve as traditional bastion hosts for more subtle surveillance or further pure-cyber attacks, for less violently-minded attackers.

As of this disclosure, this issue is exposed on every Go2, G1, H1, and B2 device with current firmware. Tested firmware versions include the Go2 versions 1.0.19 through 1.1.7 and G1 versions 1.30 through 1.6.0.

Credit#

This issue was first discovered and reported by Andreas Makris (aka Bin4ry), Kevin Finisterre (aka h0stile), and Konstantin Severov (aka legion1581).

Timeline#

  • 2025-05-14 (Wed): Initial contact initiated to Unitree via unitree_ros issue 126 and email to the vendor.
  • 2025-07-20 (Sun): The vendor indicated a fix may take years to implement
  • 2025-09-20 (Sat): Public disclosure via the UniPwn repo
  • 2025-09-25 (Thu): Reported by SPECTRUM magazine and noticed by Congress
  • 2025-09-25 (Thu): Presented at regularly scheduled AHA! meeting 0x00e4
  • 2025-09-26 (Fri): MITRE published CVE-2025-60017, CVE-2025-60250, and CVE-2025-60251
  • 2025-09-26 (Fri): Public disclosure of CVE-2025-35027