A critical command injection vulnerability in Universal Robots’ PolyScope 5 OS could allow an unauthenticated attacker to execute commands on the robot’s operating system, potentially compromising the controller and disrupting environments where cobots operate, according to the company advisory. The flaw, tracked as CVE-2026-8153, exists in the Dashboard Server interface and stems from user input not being properly neutralised before passing to the underlying OS, with a CVSS base score of 9.8.
Universal Robots credits Vera Mens of Claroty Team82 with the discovery and responsible disclosure, and notes coordination with CISA and CERT/CC’s VINCE platform; CISA has issued its own advisory on the vulnerability. The advisory states that remote exploitation requires the Dashboard Server to be enabled in the UI and its port reachable by the attacker, meaning an unauthenticated actor with network access could achieve remote code execution.
Mitigations include updating to version 5.25.1 or newer as soon as possible, or applying CISA’s defensive guidance such as minimising network exposure, disabling the Dashboard Server if not required, and restricting access to trusted hosts or subnets.