CVE-2026-27509Unitree · Go2_firmware
Vulnerability data via NVD (ingested)
Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-27509os:"Go2 Firmware"More intel sources (5)
vuln:CVE-2026-27509vulnerabilities.cve_id: CVE-2026-27509CVE-2026-27509CVE-2026-27509"CVE-2026-27509" exploit -site:nvd.nist.gov