CVE-2026-8153
Awaiting Analysis Awaiting Analysis - Queue
OS Command Injection in Universal Robots PolyScope

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: Teradyne Robotics

Description
OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8153
EUVD
EUVD-2026-28548
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
universal_robots polyscope to 5.21.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an OS command injection in the Dashboard Server interface of Universal Robots PolyScope versions prior to 5.21.1. It allows an unauthenticated attacker to craft commands that will execute arbitrary code on the robot's operating system.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary code on the robot's OS without authentication. This can lead to full compromise of the robot, including unauthorized control, disruption of operations, and potential damage to the robot or its environment.

Detection Guidance

The vulnerability involves OS command injection via the Universal Robots Dashboard Server interface, which communicates over TCP/IP on port 29999.

To detect this vulnerability on your network or system, you can monitor or attempt to connect to the Dashboard Server on port 29999 using tools like HyperTerminal or SocketTest.

By sending crafted commands ending with a newline to the Dashboard Server, you may observe if unauthorized command execution is possible, indicating the presence of the vulnerability.

  • Use a TCP client tool (e.g., SocketTest) to connect to the robot's IP on port 29999.
  • Send legitimate Dashboard Server commands to verify normal operation.
  • Attempt to send crafted commands that include OS command injection payloads to test if code execution occurs.
Compliance Impact

The vulnerability allows unauthenticated attackers to execute OS commands on the robot, potentially leading to unauthorized access and control over the system. This could result in compromise of data confidentiality, integrity, and availability.

Such a security breach may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations. Unauthorized code execution could lead to data breaches or operational disruptions, violating these regulatory requirements.

Mitigation Strategies

The vulnerability allows unauthenticated OS command injection via the Dashboard Server interface on port 29999.

Immediate mitigation steps include restricting or disabling access to the Dashboard Server interface on port 29999 from untrusted networks.

Ensure that only trusted users and systems can communicate with the Dashboard Server by implementing network-level controls such as firewalls or VPNs.

Monitor and audit any access attempts to the Dashboard Server to detect suspicious activity.

Plan to upgrade Universal Robots PolyScope to version 5.21.1 or later, where this vulnerability is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8153. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart