CVE-2025-2894 – The Go1 robotic companion contains an undocumen... (How to Fix)

Q: What is the severity of CVE-2025-2894?

CVE-2025-2894 has a CVSS score of 6.6 (MEDIUM). The Go1 robotic companion contains an undocumented backdoor that allows remote attackers with the correct API key to gain complete control over the device via the CloudSail remote access service. This affects all users of the Go1 robot who haven't implemented specific security controls. The manufacturer and anyone with the API key can remotely operate the robot without user consent.

📋 TL;DR

The Go1 robotic companion contains an undocumented backdoor that allows remote attackers with the correct API key to gain complete control over the device via the CloudSail remote access service. This affects all users of the Go1 robot who haven't implemented specific security controls. The manufacturer and anyone with the API key can remotely operate the robot without user consent.

💻 Affected Systems

Products:

Unitree Go1 (also marketed as 'The World's First Intelligence Bionic Quadruped Robot Companion of Consumer Level')

Versions: All versions prior to any official patch

Operating Systems: Robot's embedded OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using CloudSail remote access service. Physical access to device or network compromise may also enable exploitation.

📦 What is this software?

Go1 Firmware by Unitree

View all CVEs affecting Go1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete remote takeover of robotic device allowing physical manipulation, surveillance, data theft, or use as a physical threat vector in sensitive environments.

🟠

Likely Case

Unauthorized remote access leading to privacy violations, data collection, or disruption of robotic functions.

🟢

If Mitigated

Limited impact if network segmentation and access controls prevent external communication with CloudSail service.

🌐 Internet-Facing: HIGH - Devices connected to internet via CloudSail service are directly exposed to remote exploitation.

🏢 Internal Only: MEDIUM - Internal network compromise could still allow attackers to reach devices if they gain network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires possession of the API key, which appears to be hardcoded or predictable. Public research documents exploitation methods.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Monitor Unitree Robotics for security updates and firmware releases.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Go1 robots on separate network segments with strict firewall rules blocking all external CloudSail communication.

Disable CloudSail Service

all

If functionality allows, disable or block the CloudSail remote access service completely.

🧯 If You Can't Patch

Physically disconnect from networks when not in supervised use
Implement strict network monitoring for CloudSail-related traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check if device communicates with CloudSail domains or known API endpoints. Monitor for unexpected remote control commands.

Check Version:

Check robot firmware version through manufacturer interface or documentation

Verify Fix Applied:

Verify no unauthorized remote access occurs and CloudSail communication is blocked or disabled.

📡 Detection & Monitoring

Log Indicators:

Unexpected remote access logs
CloudSail API authentication attempts
Unauthorized control commands

Network Indicators:

Outbound connections to CloudSail domains
Unexpected inbound control traffic
API key usage from unauthorized sources

SIEM Query:

Network traffic to/from CloudSail domains OR authentication events with hardcoded API keys

📊 Metadata

CVE ID: CVE-2025-2894

CVSS v3 Score: 6.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-912

EPSS Score: 0.4% exploit probability (60.1th percentile)

Published: March 28, 2025

Last Updated: January 12, 2026

🔗 References

https://github.com/MAVProxyUser/YushuTechUnitreeGo1/blob/main/Unitree_report.pdf Exploit,Third Party Advisory
https://github.com/unitreerobotics/unitree_ros/issues/120 Issue Tracking,Third Party Advisory
https://takeonme.org/cves/cve-2025-2894/ Exploit,Mitigation,Third Party Advisory
https://www.axios.com/2025/04/01/threat-spotlight-backdoor-in-chinese-robots-future-of-cybersecurity Press/Media Coverage
https://x.com/d0tslash/status/1730989109332607208 Press/Media Coverage

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2894, you might also want to check these: