Vulnerability Details CVE-2025-2894
The Go1 also known as "The World's First Intelligence Bionic Quadruped Robot Companion of Consumer Level," contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the CloudSail remote access service.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 37.2%
CVSS Severity
CVSS v3 Score 6.6
References
- https://github.com/MAVProxyUser/YushuTechUnitreeGo1/blob/main/Unitree_report.pdf
- https://github.com/unitreerobotics/unitree_ros/issues/120
- https://takeonme.org/cves/cve-2025-2894/
- https://www.axios.com/2025/04/01/threat-spotlight-backdoor-in-chinese-robots-future-of-cybersecurity
- https://x.com/d0tslash/status/1730989109332607208
Products affected by CVE-2025-2894
-
cpe:2.3:h:unitree:go1:-
-
cpe:2.3:o:unitree:go1_firmware:-