CVE-2025-41110

HIGH

Ghost Robotics Vision 60 v0.27.2 - Improper Authentication via Hardcoded WiFi and SSH Credentials

Title source: llm

Description

Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment.

References (1)

Core 1

Core References

Third Party Advisory

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ghost-robotics-vision-60

Scores

CVSS v3 8.8

EPSS 0.0021

EPSS Percentile 11.7%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287 CWE-306

Status published

Products (1)

ghostrobotics/vision_60_firmware 0.27.2

Published Oct 22, 2025

Tracked Since Feb 18, 2026