CVE-2020-10265
📋 TL;DR
Universal Robots industrial robot controllers expose an unauthenticated dashboard service on port 29999 that allows remote attackers to execute core robot functions. This affects Universal Robots CB2, CB3, and e-series controllers with vulnerable software versions. Attackers can start/stop programs, shutdown systems, reset safety features, and potentially cause physical damage.
💻 Affected Systems
- Universal Robots CB2 Robot Controller
- Universal Robots CB3 Robot Controller
- Universal Robots e-series Robot Controller
📦 What is this software?
Ur Software by Universal Robots
Ur Software by Universal Robots
Ur Software by Universal Robots
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of control over industrial robots leading to physical damage, production line shutdowns, safety system bypass causing injury, or ransomware deployment on industrial networks.
Likely Case
Unauthorized program execution causing production disruption, safety system manipulation, or robot shutdown leading to operational downtime.
If Mitigated
Limited impact with proper network segmentation and access controls, though the vulnerability remains present in the system.
🎯 Exploit Status
Simple TCP connection to port 29999 with dashboard commands can exploit this vulnerability. No special tools or skills required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.universal-robots.com/how-tos-and-faqs/how-to/ur-how-tos/real-time-data-exchange-rtde-guide/
Restart Required: No
Instructions:
No official patch exists. Universal Robots recommends implementing network security controls and not exposing the dashboard server to untrusted networks.
🔧 Temporary Workarounds
Network Segmentation and Firewall Rules
allBlock access to port 29999 from untrusted networks and implement strict network segmentation for robot controllers.
iptables -A INPUT -p tcp --dport 29999 -j DROP
netsh advfirewall firewall add rule name="Block UR Dashboard" dir=in action=block protocol=TCP localport=29999
Access Control Lists
linuxRestrict access to port 29999 only to authorized management systems using IP-based filtering.
iptables -A INPUT -p tcp --dport 29999 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 29999 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate robot controllers from other networks
- Deploy industrial firewalls with deep packet inspection to monitor and control dashboard server traffic
🔍 How to Verify
Check if Vulnerable:
Connect to robot controller IP on port 29999 using telnet or netcat. If connection succeeds and you can send dashboard commands, the system is vulnerable.Check Version:
Check robot controller software version via Polyscope interface or using UR's diagnostic tools.Verify Fix Applied:
Attempt to connect to port 29999 from unauthorized networks. Connection should be blocked. From authorized networks, verify only authenticated systems can access.📡 Detection & Monitoring
Log Indicators:
- Unauthorized connection attempts to port 29999
- Dashboard commands from unexpected IP addresses
- Robot program start/stop events without operator action
Network Indicators:
- TCP connections to port 29999 from non-management networks
- Dashboard protocol traffic outside expected patterns
- Multiple failed authentication attempts (if authentication is added)
SIEM Query:
source_port=29999 OR dest_port=29999 | stats count by src_ip, dest_ip, action