CVE-2025-2894: Unitree Go1 Backdoor Control Channel#

AHA! has discovered an issue with the Go1 from Unitree, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on March 27, 2025. CVE-2025-2894 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary#

Unitree, makers of the Go1, also known as “The World’s First Intelligence Bionic Quadruped Robot Companion of Consumer Level,” contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the CloudSail remote access service by Oray.

This issue is an instance of CWE-912: Hidden Functionality, and is tentatively rated as AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H, with a base CVSS score of 6.1.

A known valid API key for this issue has since been revoked, but users of the Go1 Robot Dog are encouraged to remove the affected service entirely.

Technical Details#

The CloudSail service (documented here), is normally set to auto start on boot of the Go1 device, and creates a convenient peer-to-peer (P2P) tunnel between any two endpoints. It is designed to traverse otherwise un-traversable NAT boundaries. CloudSail’s main use case is remote control of IoT and ICS equipment that is otherwise difficult to reach.

The cloudsail client launches at boot on the RasPi

pi@raspberrypi:~ $ ps -ax | grep zhe
  425 ?        Ssl    0:00 /usr/local/zhexi/cloudsail/csclient start --mode=daemon
  507 ?        Sl     0:03 /usr/local/zhexi/cloudsail/csclient start --mode=worker

The marketing material for CloudSail states:

Traditional VPN must technically have a “fixed address server” role, which is the “center”, and all nodes must first connect to this center to communicate with each other. For remote interconnection, this center is a burden. Without this center, the direct connection between nodes will be simpler and more efficient, and single-point failure can be avoided. Unlike “Everyone is the center”, the real sense of decentralization is to eliminate any form of VPN server, whether it is In-cloud or On-premises. This is the latest version of Cassie."

In short, this tunnel exposes the network connected to the dog to outside influence via the tunnel, given a valid API key. Of course, this backdoor is not disclosed in any documentation accompanying the Go1 robot dog, nor are end-users expected to opt in or opt out of this backdoor’s functionality.

For an in-depth discussion of the capabilities of this undisclosed tunnel, please see the PDF-formatted report, Unitree Go1: Who is speaking to my dog? by Andreas Makris (aka Bin4ry) and Kevin Finisterre (aka d0tslash).

Video demonstration#

A demo video is available at the YushuTechUnitreeGo1 GitHub repository.

Remediation#

Two days after this issue was reported, Unitree invalidated the API access token used to establish remote control via the CloudSail remote access service. However, users concerned with future incursions are advised to disable the local endpoint for CloudSail entirely, as the issue will of course be exposed again if the manufacturer ever decides to mint another valid API token. Doing so requires a terminal on the on-board Raspberry Pi (using the standard username and password of pi and 123, which itself is arguably a hard-coded backdoor, given some local scripts reliance on this specific username and password):

root@raspberrypi:/home/pi/Unitree/autostart# systemctl disable CSClientDaemon
Removed /etc/systemd/system/multi-user.target.wants/CSClientDaemon.service.
You can also move the auto start "tunnel" out of the way so it is unable to autostart

root@raspberrypi:/home/pi/Unitree/autostart# mv tunnel/ /root/tunnel_disabled/

More details on remediation can be found here

Attacker Value#

Given a valid access token, attackers can use the unique NAT-punching features of the CloudSail remote access tunneling network to first take complete control of the affected robot dogs, and cause them to perform tasks unexpectedly. Since these devices are capable of interacting with the physical environment, and are sometimes used in law enforcement and military operations, the consequences of this unexpected remote control can be catastrophic for nearby property and people. Or, it can be used to prank your friends by making their robot dog do a funny dance or something.

In addition, and attacker can use the Go1 as an ingress point to an otherwise firewalled or NAT’ed network, as they will have just as much internal access at the Go1 device.

Credit#

This issue is being disclosed through the AHA! CNA and is credited to Andreas Makris (aka Bin4ry) and Kevin Finisterre (aka d0tslash), and was clumsily demonstrated at AHA! on their behalf by todb.

Timeline#

  • 2023-12-02 (Sat): Reported suspected but unconfirmed backdoor functionality to the vendor via Twitter
  • 2025-03-21 (Fri): Disclosed on Twitter
  • 2025-03-21 (Fri): Disclosed on GitHub
  • 2025-03-21 (Fri): Disclosed on LinkedIn
  • 2025-03-22 (Sat): Disclosed via email to the vendor
  • 2025-03-23 (Sun): Silently patched by the vendor
  • 2025-03-24 (Mon): Reported by Cybernews reporter Ernestas Naprys
  • 2025-03-26 (Wed): Reached out to AHA! for disclosure coordination assistance.
  • 2025-03-27 (Thu): Demonstrated at AHA! Meeting 0x00de
  • 2025-03-27 (Thu): Public disclosure of CVE-2025-2894