CVE-2025-2894
MEDIUMUnitree Go1 Firmware - CloudSail Remote Control Backdoor
Title source: manualDescription
The Go1 also known as "The World's First Intelligence Bionic Quadruped Robot Companion of Consumer Level," contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the CloudSail remote access service.
References (5)
Core 5
Core References
Exploit, Third Party Advisory technical-description
https://github.com/MAVProxyUser/YushuTechUnitreeGo1/blob/main/Unitree_report.pdf
Press/Media Coverage related
https://x.com/d0tslash/status/1730989109332607208
Issue Tracking, Third Party Advisory issue-tracking
https://github.com/unitreerobotics/unitree_ros/issues/120
Exploit, Mitigation, Third Party Advisory third-party-advisory
https://takeonme.org/cves/cve-2025-2894/
Press/Media Coverage media-coverage
https://www.axios.com/2025/04/01/threat-spotlight-backdoor-in-chinese-robots-future-of-cybersecurity
Scores
CVSS v3
6.6
EPSS
0.0054
EPSS Percentile
40.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-912
Status
published
Products (1)
unitree/go1_firmware
Published
Mar 28, 2025
Tracked Since
Feb 18, 2026