CVE-2025-45467 identifies a security vulnerability in the Unitree Go1 robotic platform, specifically affecting firmware versions up to Go1_2022_05_11. The vulnerability arises from the firmware update mechanism, which relies solely on MD5 checksums to verify the integrity of firmware images transmitted over Wi-Fi or Ethernet. MD5 is a cryptographically broken and unsuitable hash function for security purposes due to its susceptibility to collision attacks, where an attacker can craft malicious firmware that produces the same MD5 hash as a legitimate update. This insecure verification mechanism means that an attacker with network access could potentially replace or inject malicious firmware onto the device without detection. The firmware update process lacks stronger cryptographic protections such as digital signatures or more secure hash functions (e.g., SHA-256), which would ensure authenticity and integrity. Exploiting this vulnerability could allow an attacker to gain control over the robot's operations, manipulate its behavior, or use it as a foothold within a network. Although no known exploits are currently reported in the wild, the fundamental weakness in the update verification process presents a significant risk, especially as robotic platforms like Unitree Go1 are increasingly deployed in research, industrial, and commercial environments. The lack of a CVSS score indicates that this vulnerability is newly published and has not yet been fully assessed for severity, but the technical details suggest a critical security flaw in the update mechanism.

For European organizations utilizing Unitree Go1 robots, this vulnerability poses a serious risk to operational security and safety. Compromised firmware could lead to unauthorized control of robotic functions, potentially causing physical damage, disruption of automated processes, or leakage of sensitive data collected or processed by the robots. In sectors such as manufacturing, logistics, research institutions, and service robotics, this could translate into financial losses, reputational damage, and safety hazards for personnel. Additionally, compromised robots could serve as entry points for lateral movement within corporate networks, increasing the risk of broader cyber intrusions. Given the increasing adoption of robotic automation in Europe, the impact extends beyond individual organizations to critical infrastructure and supply chains that rely on such technologies. The absence of strong cryptographic verification undermines trust in firmware updates, potentially delaying necessary security patches and increasing exposure time.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Immediately restrict network access to the firmware update interfaces of Unitree Go1 robots by segmenting them into isolated network zones and applying strict firewall rules to limit update traffic to trusted sources only. 2) Coordinate with Unitree Robotics to obtain firmware updates or patches that replace MD5 checksum verification with secure digital signature mechanisms using asymmetric cryptography. 3) Until official patches are available, implement manual verification procedures for firmware authenticity, such as out-of-band validation or checksum comparison using stronger hash functions if possible. 4) Monitor network traffic for anomalous firmware update attempts or unauthorized connections to the robot’s update service. 5) Conduct regular security audits and penetration testing focused on robotic platforms to identify and remediate similar weaknesses. 6) Educate operational technology and IT teams about the risks of insecure firmware updates and enforce strict change management policies for robotic systems. These targeted actions go beyond generic advice by focusing on network controls, vendor coordination, and operational procedures specific to the Unitree Go1 platform.