CVE-2025-35027 is a high-severity OS command injection vulnerability affecting multiple robotic products by Unitree, including the Go2, G1, H1, and B2 models. These devices share a common firmware that contains a flaw in the handling of WiFi configuration via the BLE (Bluetooth Low Energy) module. Specifically, when an attacker sets a malicious string during the configuration of the on-board WiFi and subsequently triggers a restart of the WiFi service, the vulnerability allows arbitrary commands to be executed with root privileges. This occurs through the wpa_supplicant_restart.sh shell script, which fails to properly neutralize special characters or sanitize input, leading to CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The CVSS v3.1 base score is 7.3, reflecting a high severity due to the ability to execute commands as root remotely with low attack complexity and no user interaction required. The attack vector is adjacent network (AV:A), requiring low privileges (PR:L), but no user interaction (UI:N). The impact on confidentiality and integrity is high, while availability is not affected. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability poses a significant risk to the security of robotic systems that rely on these Unitree devices, potentially allowing attackers to gain full control over the affected robots remotely via BLE and WiFi interfaces.

For European organizations deploying Unitree robotic products, this vulnerability could lead to unauthorized root-level access to robotic systems, enabling attackers to manipulate robot behavior, steal sensitive data, or disrupt operations. Given the increasing adoption of robotics in manufacturing, logistics, research, and service industries across Europe, exploitation could result in operational downtime, intellectual property theft, and safety hazards. The ability to execute commands as root without user interaction and with low complexity increases the likelihood of targeted attacks or lateral movement within networks. Additionally, compromised robots could be used as pivot points for further attacks on corporate networks. The impact is particularly critical for sectors relying on automation and robotics for critical infrastructure or sensitive processes, such as automotive manufacturing hubs in Germany, aerospace in France, and research institutions across the EU.

1. Immediate mitigation should include restricting BLE access to trusted devices only and monitoring BLE traffic for suspicious configuration attempts. 2. Disable or limit remote WiFi configuration capabilities via BLE until a patch is available. 3. Implement network segmentation to isolate robotic devices from critical IT infrastructure, minimizing lateral movement risk. 4. Employ strict input validation and sanitization on all configuration interfaces, especially those accessible via BLE or other wireless protocols. 5. Monitor logs for unusual restarts of the WiFi service or execution of the wpa_supplicant_restart.sh script. 6. Coordinate with Unitree for timely firmware updates and apply patches as soon as they are released. 7. Conduct security audits and penetration testing focused on robotic device interfaces to identify similar vulnerabilities. 8. Educate operational technology (OT) and security teams about this vulnerability and the importance of securing BLE and WiFi configuration channels.