ACCORDING to CISA and Universal Robots, PolyScope 5, the operating system powering the company’s cobots, is affected by CVE-2026-8153, an OS command injection in the Dashboard Server interface. The flaw is rated critical with a CVSS score of 9.8 and has been patched in PolyScope 5.25.1.
Universal Robots explains that the Dashboard Server accepts user-controlled input and can allow unauthenticated attackers with network access to craft commands executed on the robot’s operating system, leading to remote code execution and potential control of the controller. Vera Mens from Claroty warned that cobots have a control box with an Ethernet port that could be used on demand, and that flat, unsegmented OT networks can make footholds easier. In a worst-case scenario, an attacker could compromise one cobot and potentially the entire fleet of cobots and their peripherals.