Cyber Resilience

CVE-2026-27510

MediumPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v4 6.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-27510 is a medium-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Unitree Go2 Firmware. Its CVSS base score is 6.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27510 is a remote code execution vulnerability (CWE-345: Insufficient Verification of Data Authenticity) affecting Unitree Go2 firmware versions 1.1.7 through 1.1.11 when paired with the Unitree Go2 Android application (com.unitree.doggo2). The issue arises from a lack of integrity protection and validation for user-created programs. The Android app stores these programs in a local SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py then executes the supplied Python code as root without any integrity verification or content validation.

Attackers with local access to the victim's Android device can tamper with the stored programme record in the database to inject arbitrary Python code. This malicious code executes on the robot with root privileges when the user triggers the program via a controller keybinding, and the tampered binding persists across device reboots. Additionally, attackers can distribute malicious programs through the application's community marketplace, enabling arbitrary code execution on any Unitree Go2 robot that imports and runs the program. The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, no privileges required, user interaction needed, and changed scope.

Advisories provide further details on the vulnerability, including https://boschko.ca/unitree-go2-rce/ and https://www.vulncheck.com/advisories/unitree-go2-mobile-program-tampering-enables-root-rce. The Unitree Go2 product page is available at https://shop.unitree.com/products/unitree-go2.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android application stores programs in a local…

more

SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py executes the supplied Python as root without integrity verification or content validation. An attacker with local access to the Android device can tamper with the stored programme record to inject arbitrary Python that executes when the user triggers the program via a controller keybinding, and the malicious binding persists across reboots. Additionally, a malicious program shared through the application's community marketplace can result in arbitrary code execution on any robot that imports and runs it.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Vulnerability enables remote code execution via exploitation of the robot's actuator_manager.py service (T1210), directly as root privileges (T1068), using injected Python code (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27509Same product: Unitree Go2
CVE-2026-1442Same vendor: Unitree
CVE-2024-39805Shared CWE-345
CVE-2025-24807Shared CWE-345
CVE-2026-43534Shared CWE-345
CVE-2026-33243Shared CWE-345
CVE-2026-3012Shared CWE-345
CVE-2026-35051Shared CWE-345
CVE-2025-15385Shared CWE-345
CVE-2025-1108Shared CWE-345

Affected Assets

unitree
go2 firmware
1.1.7 — 1.1.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

SI-7 mandates integrity verification mechanisms for software, firmware, and information, directly addressing the absence of checks on user-supplied Python programs before root execution on the robot.

prevent

SI-10 requires validation of all information inputs, preventing injection of arbitrary malicious Python code via tampering with the Android app's SQLite database programme_text field.

prevent

SC-18 establishes controls and approval processes for mobile code execution, mitigating risks from unverified user-created programs transmitted from the app or marketplace to the robot.

References