Who discovered these Unitree robot security flaws?

The vulnerabilities were discovered by security researchers Andreas Makris and Kevin Finisterre, with contributions from Konstantin Severov. The researchers attempted responsible disclosure beginning in May 2025 before publicly disclosing on September 20, 2025.

Which Unitree robot models are affected by these vulnerabilities?

The vulnerabilities affect multiple Unitree robot models including Go2, G1, H1, and B2 series robots. All affected devices use identical hardcoded encryption keys, making them vulnerable to the same attacks.

What are the CVE identifiers and severity scores for these vulnerabilities?

Four CVEs have been assigned: CVE-2025-35027 with a CVSS score of 7.3, CVE-2025-60017 with a CVSS score of 8.2, CVE-2025-60250 with a CVSS score of 5.0, and CVE-2025-60251 with a CVSS score of 4.7.

How do attackers exploit these Unitree robot vulnerabilities?

Attackers chain multiple vulnerabilities together. First, they decrypt BLE packets using hardcoded AES keys that are identical across all devices. Authentication requires only including the substring 'unitree' in packets. Once authenticated, attackers inject arbitrary shell commands through Wi-Fi configuration fields, which are executed with root privileges without any input validation.

What should Unitree robot users do to protect themselves?

Users should disable Bluetooth connectivity on robots when not actively required for configuration, restrict robot operations to isolated network segments segregated from critical infrastructure, and consider completely disabling affected robots in high-security environments until patches become available.

Why did researchers publicly disclose these vulnerabilities?

Researchers attempted responsible disclosure beginning in May 2025, but faced minimal engagement from Unitree. After Unitree announced a $7 billion IPO valuation target in early September 2025 and ceased all communications, researchers made the decision to disclose publicly on September 20, 2025.

What are the hardcoded encryption keys used by Unitree robots?

All affected Unitree devices use identical hardcoded AES-CFB128 encryption keys. The AES key is df98b715d5c6ed2b25817b6f2554124a and the initialization vector is 2841ae97419c2973296a0d4bdfe19a4f. These keys were published by researchers on social media in July 2025.

Advisory

Command Injection vulnerabilities reported in Unitree Robots

Q: What security vulnerabilities were discovered in Unitree robots?

Security researchers discovered multiple critical vulnerabilities in Unitree's robotic platforms, including hardcoded cryptographic keys, trivial authentication bypass mechanisms, and unsanitized command injection vulnerabilities in the Bluetooth Low Energy Wi-Fi configuration interface. These represent the first publicly disclosed exploit targeting commercial humanoid robots.

Q: Can these vulnerabilities spread between Unitree robots?

Yes, infected robots can automatically scan for and compromise other Unitree robots within Bluetooth range without any user interaction, potentially creating self-propagating robot botnets.

Q: Are patches available for these Unitree robot vulnerabilities?

No, the vulnerabilities remain unpatched as of September 20, 2025. Unitree claimed that addressing the vulnerabilities would require full system iterations taking quarters or years, and has not released patches or official mitigation guidance.

published: Sept. 29, 2025

Take action: If you are using Unitree robots, disable their bluetooth and start calling the vendor. Given that these robots are used for law enforcement and military and the self-replicating nature of the exploit, this exploit is very scary. Even if the flaws are not critical, the value of the target is high enough that attackers will invest singnificant resources to achieve exploitation. Especially since there isn't an official patch - but maybe the customers will get some "confidential" update.

Learn More

Security researchers Andreas Makris and Kevin Finisterre, with contributions from Konstantin Severov, are reporting multiple security vulnerabilities affecting Unitree's robotic platforms, marking the first publicly disclosed exploit targeting commercial humanoid robots.

Nottinghamshire Police in the United Kingdom are actively trialing Unitree robots for armed response scenarios including armed sieges, hostage negotiations, building searches, and dangerous area reconnaissance operations. China's People's Liberation Army has deployed Unitree robots for military applications. In these critical law enforcement and military contexts, compromised robots could be turned against operators, used to leak intelligence, sabotage operations, or provide enemy actors with surveillance capabilities inside secure facilities.

The security flaws stem from a combination of hardcoded cryptographic keys, trivial authentication bypass mechanisms, and unsanitized command injection vulnerabilities in the Bluetooth Low Energy Wi-Fi configuration interface.

Infected robots can automatically scan for and compromise other Unitree robots within Bluetooth range without any user interaction, potentially creating self-propagating robot botnets.

Vulnerabilities summary

CVE-2025-35027 (CVSS score 7.3)
CVE-2025-60017 (CVSS score 8.2)
CVE-2025-60250 (CVSS score 5.0)
CVE-2025-60251 (CVSS score 4.7)

An attack chains the security flaws in the BLE protocol implementation. First, all affected devices use identical hardcoded AES-CFB128 encryption keys that were published by the researchers on social media in July 2025. The AES key (df98b715d5c6ed2b25817b6f2554124a) and initialization vector (2841ae97419c2973296a0d4bdfe19a4f) are the same across all devices, eliminating any device-specific security. The authentication mechanism is equally flawed—after decrypting BLE packets with these hardcoded keys, the robot only checks if the packet contains the substring "unitree" to grant authentication, setting a valid user flag without any additional verification.

Once authenticated, attackers can exploit a command injection vulnerability through the Wi-Fi configuration process. By sending specific instruction sequences through the BLE interface, attackers can inject arbitrary shell commands into the SSID or password fields. When the robot processes instruction 6 to set the country code, it triggers a WiFi configuration thread that calls either restart_wifi_ap or restart_wifi_sta functions. These functions construct shell commands using the user-supplied SSID and password values and pass them directly to the system() function without any input validation or sanitization. A simple payload such as ";$(reboot -f);#" can execute arbitrary commands with root privileges.

The vulnerabilities affect multiple Unitree robot models including Go2, G1, H1, and B2 series robots and remain unpatched as of September 20, 2025, despite researchers' attempts to responsibly disclose the issues beginning in April 2025.

The team attempted responsible disclosure beginning May 14, 2025, contacting Unitree through multiple channels including LinkedIn, GitHub, and numerous email addresses. Despite initial discussions about a potential bug bounty program, Unitree created a security email address only after two weeks of discussion and showed minimal engagement with the security issues.

Throughout June and July 2025, communication dwindled as researchers pressed for transparency about borrowed MIT Cheetah licensed code and the use of encryption to obfuscate such code. Unitree claimed that addressing the vulnerabilities would require full system iterations taking quarters or years. After Unitree announced a US$7 billion IPO valuation target in early September 2025 and ceased all communications, the researchers made the decision to disclose publicly on September 20, 2025.

As Unitree has not released patches or provided official mitigation guidance for these vulnerabilities, users should disable Bluetooth connectivity on robots when not actively required for configuration purposes, restrict robot operations to isolated network segments that are segregated from critical infrastructure and consider completely disabling affected robots in high-security environments until patches become available.

Command Injection vulnerabilities reported in Unitree Robots

Read More
Siemens addresses critical vulnerabilities in multiple products
Critical authentication flaw reported in Survision license plate …
Kaspersky reports multiple flaws including critical inZKTeco biometric …
Critical authentication bypass flaw in Burk Technology ARC …
Multiple critical flaws reported in mySCADA myPRO product