Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for Go1 by Unitree
CVE-2025-2894 (GCVE-0-2025-2894)
Vulnerability from cvelistv5 – Published: 2025-03-28 02:51 – Updated: 2025-04-03 14:37
VLAI
Title
Unitree Go1 Robot Dog Backdoor Control Channel
Summary
The Go1 also known as "The World's First Intelligence Bionic Quadruped Robot Companion of Consumer Level," contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the CloudSail remote access service.
Severity
6.6 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-912 - Hidden Functionality
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/MAVProxyUser/YushuTechUnitreeG… | technical-description |
| https://x.com/d0tslash/status/1730989109332607208 | related |
| https://github.com/unitreerobotics/unitree_ros/is… | issue-tracking |
| https://takeonme.org/cves/cve-2025-2894/ | third-party-advisory |
| https://www.axios.com/2025/04/01/threat-spotlight… | media-coverage |
Date Public
2025-03-28 00:53
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2894",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:40:56.582769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:41:30.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Go1",
"vendor": "Unitree",
"versions": [
{
"status": "affected",
"version": "2022_05_11_e0d0e617"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andreas Makris"
},
{
"lang": "en",
"type": "finder",
"value": "Kevin Finisterre"
},
{
"lang": "en",
"type": "coordinator",
"value": "todb"
}
],
"datePublic": "2025-03-28T00:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Go1\u0026nbsp;also known as \"The World\u0027s First Intelligence Bionic Quadruped Robot Companion of Consumer Level,\" contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the CloudSail remote access service.\u003cbr\u003e"
}
],
"value": "The Go1\u00a0also known as \"The World\u0027s First Intelligence Bionic Quadruped Robot Companion of Consumer Level,\" contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the CloudSail remote access service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-912",
"description": "CWE-912: Hidden Functionality",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T14:37:08.450Z",
"orgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
"shortName": "AHA"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/MAVProxyUser/YushuTechUnitreeGo1/blob/main/Unitree_report.pdf"
},
{
"tags": [
"related"
],
"url": "https://x.com/d0tslash/status/1730989109332607208"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/unitreerobotics/unitree_ros/issues/120"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://takeonme.org/cves/cve-2025-2894/"
},
{
"tags": [
"media-coverage"
],
"url": "https://www.axios.com/2025/04/01/threat-spotlight-backdoor-in-chinese-robots-future-of-cybersecurity"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unitree Go1 Robot Dog Backdoor Control Channel",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
"assignerShortName": "AHA",
"cveId": "CVE-2025-2894",
"datePublished": "2025-03-28T02:51:19.768Z",
"dateReserved": "2025-03-28T00:53:27.892Z",
"dateUpdated": "2025-04-03T14:37:08.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2894 (GCVE-0-2025-2894)
Vulnerability from nvd – Published: 2025-03-28 02:51 – Updated: 2025-04-03 14:37
VLAI
Title
Unitree Go1 Robot Dog Backdoor Control Channel
Summary
The Go1 also known as "The World's First Intelligence Bionic Quadruped Robot Companion of Consumer Level," contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the CloudSail remote access service.
Severity
6.6 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-912 - Hidden Functionality
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/MAVProxyUser/YushuTechUnitreeG… | technical-description |
| https://x.com/d0tslash/status/1730989109332607208 | related |
| https://github.com/unitreerobotics/unitree_ros/is… | issue-tracking |
| https://takeonme.org/cves/cve-2025-2894/ | third-party-advisory |
| https://www.axios.com/2025/04/01/threat-spotlight… | media-coverage |
Date Public
2025-03-28 00:53
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2894",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:40:56.582769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:41:30.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Go1",
"vendor": "Unitree",
"versions": [
{
"status": "affected",
"version": "2022_05_11_e0d0e617"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andreas Makris"
},
{
"lang": "en",
"type": "finder",
"value": "Kevin Finisterre"
},
{
"lang": "en",
"type": "coordinator",
"value": "todb"
}
],
"datePublic": "2025-03-28T00:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Go1\u0026nbsp;also known as \"The World\u0027s First Intelligence Bionic Quadruped Robot Companion of Consumer Level,\" contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the CloudSail remote access service.\u003cbr\u003e"
}
],
"value": "The Go1\u00a0also known as \"The World\u0027s First Intelligence Bionic Quadruped Robot Companion of Consumer Level,\" contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the CloudSail remote access service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-912",
"description": "CWE-912: Hidden Functionality",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T14:37:08.450Z",
"orgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
"shortName": "AHA"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/MAVProxyUser/YushuTechUnitreeGo1/blob/main/Unitree_report.pdf"
},
{
"tags": [
"related"
],
"url": "https://x.com/d0tslash/status/1730989109332607208"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/unitreerobotics/unitree_ros/issues/120"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://takeonme.org/cves/cve-2025-2894/"
},
{
"tags": [
"media-coverage"
],
"url": "https://www.axios.com/2025/04/01/threat-spotlight-backdoor-in-chinese-robots-future-of-cybersecurity"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unitree Go1 Robot Dog Backdoor Control Channel",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
"assignerShortName": "AHA",
"cveId": "CVE-2025-2894",
"datePublished": "2025-03-28T02:51:19.768Z",
"dateReserved": "2025-03-28T00:53:27.892Z",
"dateUpdated": "2025-04-03T14:37:08.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}