Cyber Posture

CVE-2026-27510

CriticalPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0014 33.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27510 is a critical-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Unitree Go2 Firmware. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-7 Software, Firmware, and Information Integrity good match
preventdetect

SI-7 mandates integrity verification mechanisms for software, firmware, and information, directly addressing the absence of checks on user-supplied Python programs before root execution on the robot.

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of all information inputs, preventing injection of arbitrary malicious Python code via tampering with the Android app's SQLite database programme_text field.

SC-18 Mobile Code good match
prevent

SC-18 establishes controls and approval processes for mobile code execution, mitigating risks from unverified user-created programs transmitted from the app or marketplace to the robot.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote code execution via exploitation of the robot's actuator_manager.py service (T1210), directly as root privileges (T1068), using injected Python code (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android application stores programs in a local…

more

SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py executes the supplied Python as root without integrity verification or content validation. An attacker with local access to the Android device can tamper with the stored programme record to inject arbitrary Python that executes when the user triggers the program via a controller keybinding, and the malicious binding persists across reboots. Additionally, a malicious program shared through the application's community marketplace can result in arbitrary code execution on any robot that imports and runs it.

Deeper analysisAI

CVE-2026-27510 is a remote code execution vulnerability (CWE-345: Insufficient Verification of Data Authenticity) affecting Unitree Go2 firmware versions 1.1.7 through 1.1.11 when paired with the Unitree Go2 Android application (com.unitree.doggo2). The issue arises from a lack of integrity protection and validation for user-created programs. The Android app stores these programs in a local SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py then executes the supplied Python code as root without any integrity verification or content validation.

Attackers with local access to the victim's Android device can tamper with the stored programme record in the database to inject arbitrary Python code. This malicious code executes on the robot with root privileges when the user triggers the program via a controller keybinding, and the tampered binding persists across device reboots. Additionally, attackers can distribute malicious programs through the application's community marketplace, enabling arbitrary code execution on any Unitree Go2 robot that imports and runs the program. The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, no privileges required, user interaction needed, and changed scope.

Advisories provide further details on the vulnerability, including https://boschko.ca/unitree-go2-rce/ and https://www.vulncheck.com/advisories/unitree-go2-mobile-program-tampering-enables-root-rce. The Unitree Go2 product page is available at https://shop.unitree.com/products/unitree-go2.

Details

CWE(s)
CWE-345

Affected Products

unitree
go2 firmware
1.1.7 — 1.1.11

CVEs Like This One

CVE-2026-27509Same product: Unitree Go2
CVE-2026-1442Same vendor: Unitree
CVE-2025-24807Shared CWE-345
CVE-2024-39805Shared CWE-345
CVE-2026-43534Shared CWE-345
CVE-2026-33243Shared CWE-345
CVE-2025-15385Shared CWE-345
CVE-2026-28454Shared CWE-345
CVE-2026-2836Shared CWE-345
CVE-2026-25921Shared CWE-345

References