Man’s Best Friend or Trojan Horse? Critical “Root” Flaws Unmasked in Unitree Robotic Canines

A domestic robotic canine can swiftly transmute into a veritable Trojan horse should an individual wielding a laptop and the requisite expertise find themselves in its proximity. Critical vulnerabilities have been unearthed within the ubiquitous Unitree models, empowering malicious actors to surreptitiously inject arbitrary code and seize absolute dominion over the apparatus.

This predicament specifically afflicts the Go2 lineage of models, encompassing the AIR iteration. These security flaws have been formally designated with the identifiers CVE-2026-27509 and CVE-2026-27510. Both vulnerabilities culminate in remote code execution, albeit by exploiting entirely disparate vectors of ingress. In the former scenario, an assailant infiltrates the robot’s internal service via a distributed data transfer protocol; in the latter, they manipulate data within the mobile application, thereby compelling the device to execute an arbitrary script.

The inaugural vulnerability, CVE-2026-27509, compromises firmware iterations up to and including version 1.1.11, persisting even beyond this threshold within the EDU edition. The automaton relies upon Eclipse CycloneDDS middleware to facilitate message arbitration amongst its constituent modules. By default, the architects glaringly omitted the activation of cryptographic authentication. Consequently, any device residing upon the shared network can interface with the data exchange domain and transmit messages directly to the programming_actuator service partition. The service blindly accepts this petition, extracts the embedded Python payload, archives the file within the /unitree/etc/programming/ directory, and tethers it to a specific button configuration upon the remote control console.

The ensuing sequence is disarmingly simple: should the unsuspecting owner depress a combination such as R1+Y, the automaton instantaneously executes the sequestered file with omnipotent root privileges. There exists an absolute dearth of content verification, resource compartmentalization, or sandbox isolation. A solitary injection of the malicious script ensures its survival across subsequent reboots, as the macroscopic button tether is preserved within an independent textual registry. In essence, the malefactor establishes a perpetual backdoor, lying dormant until awakened by a mere keystroke.

Within firmware iteration 1.1.11, the manufacturer endeavored to mitigate the attack surface by disabling the automated broadcasting of service partitions across the network. The multitude of visible communication conduits was precipitously reduced from scores down to a mere four. Nevertheless, within the EDU variant, this inherently flawed mechanism remains lamentably accessible—a reality explicitly corroborated through subsequent correspondence with the corporation.

The secondary vulnerability, CVE-2026-27510, exploits the identical internal logic, yet circumvents the defenses via an entirely orthogonal vector. The proprietary Unitree Android application empowers users to architect visual behavioral scripts; one orchestrates actions within a graphical interface, whereupon the paradigm is transcribed into Python code and transmitted to the automaton. Analogous to the prior exploit, this code is entrenched within /unitree/etc/programming/ and invoked via a preordained keystroke combination.

Security researchers ascertained that the script’s plaintext is warehoused within a localized SQLite database residing upon the smartphone. By usurping superuser privileges upon the mobile device and manipulating the pyCode field within the corresponding ledger, an attacker can seamlessly interpose arbitrary Python code. Upon restoring the database to its origin, the application blindly dispatches the adulterated script to the robot without a modicum of scrutiny. The ensuing mechanics remain steadfast: the file is inscribed into the systemic directory, mapped to a physical button, and subsequently executed with the absolute authority of an administrator.

A profound, ancillary peril stems from the user script repository. The application champions the dissemination of bespoke programs, facilitating their distribution among fellow proprietors. Under specific alignments, a malefactor could cultivate a venomous script and propagate it across this digital bazaar, thereby paving an unhindered avenue toward the mass contagion of these devices.

In response, the manufacturer inaugurated a dedicated incident response center, culminating in the February 2026 deployment of the 1.1.13 update; this patch ameliorates CVE-2026-27510 and institutes supplementary validation for uploaded scripts. The ultimate resolution for CVE-2026-27509 within the EDU iteration, however, remains perilously shrouded in uncertainty.