CVE-2026-8153
OS Command Injection in Universal Robots PolyScope
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: Teradyne Robotics
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| universal_robots | polyscope | to 5.21.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The vulnerability allows unauthenticated OS command injection via the Dashboard Server interface on port 29999.
Immediate mitigation steps include restricting or disabling access to the Dashboard Server interface on port 29999 from untrusted networks.
Ensure that only trusted users and systems can communicate with the Dashboard Server by implementing network-level controls such as firewalls or VPNs.
Monitor and audit any access attempts to the Dashboard Server to detect suspicious activity.
Plan to upgrade Universal Robots PolyScope to version 5.21.1 or later, where this vulnerability is fixed.
Can you explain this vulnerability to me?
This vulnerability is an OS command injection in the Dashboard Server interface of Universal Robots PolyScope versions prior to 5.21.1. It allows an unauthenticated attacker to craft commands that will execute arbitrary code on the robot's operating system.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary code on the robot's OS without authentication. This can lead to full compromise of the robot, including unauthorized control, disruption of operations, and potential damage to the robot or its environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves OS command injection via the Universal Robots Dashboard Server interface, which communicates over TCP/IP on port 29999.
To detect this vulnerability on your network or system, you can monitor or attempt to connect to the Dashboard Server on port 29999 using tools like HyperTerminal or SocketTest.
By sending crafted commands ending with a newline to the Dashboard Server, you may observe if unauthorized command execution is possible, indicating the presence of the vulnerability.
- Use a TCP client tool (e.g., SocketTest) to connect to the robot's IP on port 29999.
- Send legitimate Dashboard Server commands to verify normal operation.
- Attempt to send crafted commands that include OS command injection payloads to test if code execution occurs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to execute OS commands on the robot, potentially leading to unauthorized access and control over the system. This could result in compromise of data confidentiality, integrity, and availability.
Such a security breach may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations. Unauthorized code execution could lead to data breaches or operational disruptions, violating these regulatory requirements.