Back

Critical Command Injection Flaw in Universal Robots' Cobots Requires Immediate Patching

Severity: High (Score: 72.0)

Sources: Scworld, Darkreading, app.opencve.io

Published: 2026-05-20 · Updated: 2026-05-21

Keywords: critical, robots, universal, flaw, cobots, command, injection

Severity indicators: critical, flaw, command injection, ot

Summary

A critical command injection vulnerability (CVE-2026-8153) in Universal Robots' PolyScope 5 OS allows unauthenticated attackers to execute commands remotely on collaborative robots (cobots). This flaw, with a CVSS score of 9.8, affects the Dashboard Server interface, enabling potential disruption of production lines and safety risks. Universal Robots has released a patch in version 5.25.1 and recommended immediate updates, although no active exploitation has been reported yet. The vulnerability could allow attackers to manipulate operational parameters and gain administrative control over robotic systems, impacting various industries including manufacturing and logistics. CISA has issued advisories urging organizations to audit their OT networks to prevent exposure. Security experts stress the urgency of addressing this vulnerability due to its potential physical impacts. Key Points: • CVE-2026-8153 allows unauthenticated remote code execution on Universal Robots' cobots. • The vulnerability affects the Dashboard Server of the PolyScope 5 OS with a CVSS score of 9.8. • Organizations are advised to patch immediately and audit their OT networks for exposure.

Detailed Analysis

**Impact** Over 100,000 collaborative robots ("cobots") running Universal Robots PolyScope 5 OS are affected globally, including deployments across manufacturing, logistics, automotive, healthcare, and warehousing sectors in the United States, Mexico, Europe, and Asia-Pacific. Exploitation can lead to production shutdowns, sabotage of workflows, ransomware deployment, and manipulation of robotic precision, posing operational hazards and safety risks to personnel. The interconnected nature of these cobots with PLCs, MES platforms, ERP systems, and remote management infrastructure amplifies potential disruption and data compromise. **Technical Details** The vulnerability, CVE-2026-8153, is a critical unauthenticated command injection flaw in the Dashboard Server interface of PolyScope 5, with a CVSS 3.1 base score of 9.8. Attackers require network access to the Dashboard Server port, which accepts user-controlled input without proper sanitization, enabling remote code execution on the Linux-based robot controller. Exploitation allows administrative control without credentials, enabling persistent undetected access and potential lateral movement within OT environments. No specific malware or IOCs were reported. **Recommended Response** Apply the Universal Robots PolyScope 5.25.1 patch immediately to remediate CVE-2026-8153. Disable the Dashboard Server functionality if not required and ensure strict firewall rules isolate the robot controllers from external networks. Segment OT networks to prevent unauthorized access, monitor for unusual Dashboard Server activity, and harden identity and access management controls to prevent credential compromise. Conduct a comprehensive OT network audit focusing on exposed services and dormant credentials.

Source articles (3)

  • Patch Now: Critical Flaw in OT Robot OS Gives Attackers Control — Darkreading · 2026-05-20
    An unauthenticated attacker can exploit the command injection vulnerability to gain remote access to robotic systems, causing significant disruption to the environment. A critical command injection vu…
  • CVE-2026-8153 — app.opencve.io · 2026-05-20
  • Universal Robots patches critical 9.8 flaw in 'cobots' OS | news — Scworld · 2026-05-19
    Danish robotics company Universal Robots recently patched a critical 9.8 bug in the Dashboard Server of its Universal Robots PolyScope 5 operating system for its collaborative robots, or "cobots." Uni…

Timeline

  • 2026-05-08 — CVE-2026-8153 published: Universal Robots disclosed a critical command injection vulnerability in its cobots' OS.
  • 2026-05-19 — Patch released for critical flaw: Universal Robots issued a patch in version 5.25.1 to address CVE-2026-8153, urging immediate installation.
  • Recent — CISA issues advisory: CISA warned organizations to audit OT networks and apply the patch to mitigate risks from the vulnerability.

CVEs

  • CVE-2026-8153

Related entities

  • Zero-day Exploit (Attack Type)
  • Cert/cc (Company)
  • Claroty (Company)
  • Cybersecurity and Infrastructure Security Agency (Company)
  • Universal Robots (Company)
  • Mexico (Country)
  • United States (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-78 - OS Command Injection (Cwe)
  • Healthcare (Industry)
  • Manufacturing (Industry)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1203 - Exploitation for Client Execution (Mitre Attack)
  • Dashboard Server (Platform)
  • Linux (Platform)
  • PolyScope (Platform)
  • PolyScope 5 (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed