Cyber Resilience

CVE-2026-8153

CriticalRCE

Published: 08 May 2026

Published
08 May 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0183 76.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-8153 is a critical-severity OS Command Injection (CWE-78) vulnerability in Universal Robots PolyScope (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-8153 is an OS command injection vulnerability, tracked under CWE-78, that affects the Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1. The flaw resides in the robot controller software and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible unauthenticated exploitation with high impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply specially crafted commands through the Dashboard Server interface and achieve arbitrary code execution on the underlying robot operating system. Successful exploitation grants full control over the robot controller without requiring credentials or user interaction.

The single reference points to Universal Robots documentation describing the Dashboard Server communication protocol; the version information indicates that upgrading PolyScope to 5.25.1 or later removes the vulnerable interface behavior. The associated EPSS score remains flat at 0.0197 with no material increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in unauthenticated public-facing Dashboard Server interface directly enables remote code execution on the robot's Unix-based OS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78
CVE-2025-13942Shared CWE-78

Affected Assets

Universal Robots
PolyScope
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all inputs to the Dashboard Server interface, blocking the crafted OS commands that trigger CWE-78 injection.

prevent

Enforces that only authenticated and authorized subjects may invoke commands on the robot OS, eliminating the unauthenticated code-execution path.

prevent

Mandates prompt application of the PolyScope 5.25.1+ update that removes the vulnerable Dashboard Server behavior before exploitation can occur.

References