Critical OS Command Injection Vulnerability in Universal Robots PolyScope 5
A critical OS command injection vulnerability, CVE-2026-8153, has been disclosed in Universal Robots PolyScope 5, exposing industrial robot fleets to potential remote compromise.
Universal Robots, a Danish company specializing in collaborative industrial robots (cobots), has patched a critical vulnerability affecting its PolyScope 5 operating system. The flaw, tracked as CVE-2026-8153, is an OS command injection vulnerability in the Dashboard Server interface that allows unauthenticated attackers to execute arbitrary commands on the underlying operating system.
The vulnerability carries a CVSS score of 9.8, indicating critical severity. According to the advisory, the Dashboard Server accepts user-controlled input and passes it to the operating system without proper sanitization. An attacker with network access to the Dashboard Server port can craft commands that lead to remote code execution, compromising the robot controller's confidentiality, integrity, and availability.
Universal Robots noted that exploitation requires the Dashboard Server to be enabled and its port reachable. The company states that its robots are not designed for direct internet access and are typically protected by firewalls. However, Vera Mens, the Claroty researcher who discovered the flaw, warned that many industrial networks are flat and lack segmentation, making it possible for an attacker to gain initial access and then exploit the vulnerability.
In a flat network, an attacker could compromise one or more cobots. The control box is a general-purpose Linux computer connected via Ethernet and serial ports to other equipment. The least severe outcome is complete control of a single cobot, which could pose hazards to humans, but the impact could escalate to compromising an entire fleet of cobots and their peripherals.
The vulnerability has been patched in PolyScope version 5.25.1. Users are urged to update immediately and ensure that the Dashboard Server is not exposed to untrusted networks. CISA also published an advisory urging critical infrastructure operators to apply the patch.
This disclosure highlights the growing security risks in industrial robotics, especially as cobots become more connected. The lack of network segmentation in many manufacturing environments amplifies the potential damage from such vulnerabilities.
The article from Dark Reading provides additional context on the impact of CVE-2026-8153, noting that exploitation could lead to production shutdowns, sabotage of manufacturing workflows, or manipulation of robotic precision, with safety implications for workers near compromised cobots. It also quotes Morey Haber of BeyondTrust emphasizing the need for strict IT/OT segmentation and disabling the Dashboard Server when not in use.