CVE-2025-35027
Published: 26 September 2025
Summary
CVE-2025-35027 is a high-severity OS Command Injection (CWE-78) vulnerability in Unitree G1 Firmware. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 48.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2025-35027 is a command injection vulnerability present in multiple Unitree robotic platforms, including the Go2, G1, H1, and B2 models. These devices share a common firmware base derived from the MIT Cheetah codebase, with the primary forks being the G1 humanoid and Go2 quadruped branches. The flaw resides in the handling of WiFi configuration strings received over the on-board BLE module; when a malicious value is supplied and the WiFi service is subsequently restarted, the wpa_supplicant_restart.sh script executes the attacker-controlled input as root.
An attacker with adjacent-network access and limited privileges can exploit the issue by writing a crafted string through the BLE interface and forcing a WiFi service restart. Successful exploitation grants the ability to run arbitrary commands as root, resulting in full control over confidentiality and integrity of the affected robot while leaving availability unaffected. The CVSS 7.3 score reflects the low attack complexity and the absence of required user interaction.
Public references, including proof-of-concept material at github.com/Bin4ry/UniPwn and coverage at spectrum.ieee.org and takeonme.org, document the vulnerability but do not detail vendor-supplied patches or configuration workarounds in the provided sources.
EPSS scores for the CVE rose from a low baseline to a recorded peak of 0.0104, indicating measurable exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31217
Vulnerability details
Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot,…
more
then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script. All Unitree models use firmware derived from the same codebase (MIT Cheetah), and the two major forks are the G1 (humanoid) and Go2 (quadruped) branches.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.