A critical command injection vulnerability in the operating system (OS) for collaborative robots used across operational technology (OT) environments allows an unauthenticated attacker to execute commands on the system. Exploiting the flaw could threatens the integrity of the system and potentially the safety of those interacting with it.

Danish company Universal Robots has patched the vulnerability, tracked as CVE-2026-8153 and found in the Dashboard Server interface of Universal Robots PolyScope 5. The flaw exists because the Dashboard Server accepts user-controlled input and passes it to the underlying OS without proper neutralization of special elements, according to a company security advisory.

The flaw has a CVSS 3.1 base score of 9.8 and allows anyone who can reach the Dashboard Server network port to craft commands that are executed on the robot’s operating system. This scenario means that an unauthenticated attacker with network access can achieve remote code execution (RCE) and compromise the controller.

Related:Taiwan Bullet Train Hack Highlights Cybersecurity Gaps in Rail Systems

Universal Robots credited Vera Mens of Claroty Team82 with discovery and responsible disclosure of the flaw, and acknowledged coordination through the Cybersecurity and Infrastructure Security Agency (CISA) and CERT/CC’s VINCE platform. CISA also put out its own advisory on the vulnerability.

How CVE-2026-8153 Puts ‘Cobots’ at Risk

Universal Robots’ PolyScope systems are are collaborative robotic systems, commonly referred to as “cobots,” and are deployed across manufacturing, logistics, warehousing, automotive, healthcare, and other industrial production environments. 

“The flaw affects the robot controller itself, which is effectively a Linux-based computer connected directly to operational technology and physical machinery,” Morey Haber, chief security advisor at BeyondTrust, tells Dark Reading.

Universal Robots has noted in its advisory that remote exploitation of CVE-2026-8153 requires the robot’s Dashboard Server to be enabled in the UI, and its port must be reachable by the attacker. The company’s robots are designed so that they are not accessible directly from the Internet, and companies typically have firewalls that prevent direct inbound Internet access to OT systems, according to Universal Robots. 

Still, exploiting the flaw can significantly impact the PolyScope 5 robotic system’s confidentiality, integrity, and availability, Haber says. That’s because attackers could gain administrative-level control over the robotic controller without valid credentials and operate undetected, even over a persistent period of time, he says. 

Related:AI-Driven Cyberattack on Mexico Couldn’t Breach OT Systems

Security, Safety Concerns for OT Systems

Exploitation has implications beyond the control systems as well because in many environments, these robotic systems communicate with PLCs, manufacturing execution system (MES) platforms, ERP applications, and remote management infrastructure. This makes controllers “highly interconnected OT assets rather than isolated machines according to the manufacturers own specifications,” Haber says.

Potentially disruptive outcomes include production shutdowns, sabotage of manufacturing workflows, ransomware deployment, destruction of operational and configuration data, or manipulation of robotic precision and calibration, Haber notes.

Exploiting the flaw not only has security implications across all these systems, but also has safety implications as well, since “industrial robots bridge the digital and physical worlds,” Haber notes.

“If attackers manipulate robot behavior, disable safeguards, alter programmed movements, or interrupt safety logic, the consequences move beyond cybersecurity and into human safety,” he says. “A compromised cobot may no longer operate predictably around workers, assembly lines, or with hazardous materials.”

Related:Serial-to-IP Devices Hide Thousands of Old & New Bugs

This could pose not only an operational hazard, but also a critical infrastructure threat due to production outages or equipment damage, or even a physical threat to humanity via an environmental catastrophe, Haber says.

Mitigations for the PolyScope 5 Flaw

At this time, no known exploitation has occurred. Universal Robots “strongly recommends that all customers update to version 5.25.1 or newer, as soon as possible” effectively patching the vulnerability on all affected systems, according to the advisory.

If updating is not immediately available, Universal Robots recommended measures aligned with the CISA’s defensive guidance for control system devices, including minimizing network exposure of the robot by placing it and other control system devices behind firewalls and isolating them from business networks. Administrators also should disable the Dashboard Server in PolyScope entirely if it is not used by an application, as well as restrict access to specific trusted hosts or subnet in the OS, Universal Robots said.

Haber also recommends “strict segmentation between IT and OT environments” as a general rule in environments using any industrial control system (ICS). He also notes the importance of keeping the Dashboard Server disabled if it’s not operationally required since “remote management interfaces are the control plane for an environment and consistently become high value attack surfaces in industrial environments.”





Source link

#

Comments are closed