HIGH
UnitreeRobotics
CVE published 2026-02-26
CVE-2026-27509
A critical remote code execution vulnerability affects Unitree Go2 quadruped robots running firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU). The root cause is the absence of DDS authentication and authorization on the Eclipse CycloneDDS topic `rt/api/programming_actuator/request`, which is processed by the `actuator_manager.py` service. A network-adjacent attacker can join DDS domain 0 without [truncated]