CVE-2025-60017
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary OS commands with root privileges on Unitree robotic devices by injecting malicious code into WiFi SSID or password parameters. It affects Unitree Go2, G1, H1, and B2 devices through September 2025. Attackers can gain complete control over affected robots.
💻 Affected Systems
- Unitree Go2
- Unitree G1
- Unitree H1
- Unitree B2
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise allowing attackers to execute arbitrary commands as root, potentially taking physical control of robots, stealing sensitive data, or using devices as network pivots.
Likely Case
Remote code execution leading to device takeover, data exfiltration, or botnet enrollment.
If Mitigated
Limited impact if devices are isolated from untrusted networks and have restricted WiFi access.
🎯 Exploit Status
Proof-of-concept code is publicly available in the UniPwn repository. Exploitation requires network access to device WiFi interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
No official patch available. Monitor Unitree Robotics for security updates and apply immediately when released.
🔧 Temporary Workarounds
Disable vulnerable WiFi functions
linuxRemove or restrict access to hostapd_restart.sh script and disable WiFi AP/STA restart functionality
chmod 000 /path/to/hostapd_restart.sh
rm /path/to/hostapd_restart.sh
Network isolation
allPlace robots on isolated VLANs with strict firewall rules preventing external access to WiFi management interfaces
🧯 If You Can't Patch
- Disconnect devices from untrusted networks and use wired connections only
- Implement strict network segmentation with firewall rules blocking all inbound traffic to robot WiFi interfaces
🔍 How to Verify
Check if Vulnerable:
Check if hostapd_restart.sh exists and contains unsanitized $wifi_ssid or $wifi_pass parameters in restart_wifi_ap/restart_wifi_sta functionsCheck Version:
Check device firmware version via manufacturer documentationVerify Fix Applied:
Verify hostapd_restart.sh has been removed or patched with proper input sanitization📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Suspicious process spawning from WiFi-related scripts
- Failed authentication attempts on WiFi interfaces
Network Indicators:
- Unexpected outbound connections from robots
- Suspicious traffic patterns from robot WiFi interfaces
SIEM Query:
process.name: "hostapd_restart.sh" AND command_line: "*;*" OR command_line: "*|*" OR command_line: "*`*"