CVE-2025-60017 | THREATINT

Description

Unitree Go2, G1, H1, and B2 devices through 2025-09-20 allow root OS command injection via the hostapd_restart.sh wifi_ssid or wifi_pass parameter (within restart_wifi_ap and restart_wifi_sta).

PUBLISHED Reserved 2025-09-23 | Published 2025-09-26 | Updated 2025-09-26 | Assigner mitre

HIGH: 8.2CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unknown

Any version

affected

Default status

unknown

Any version

affected

Default status

unknown

Any version

affected

Default status

unknown

Any version

affected

References

spectrum.ieee.org/unitree-robot-exploit

github.com/Bin4ry/UniPwn

news.ycombinator.com/item?id=45381590

cve.org (CVE-2025-60017)

nvd.nist.gov (CVE-2025-60017)

Download JSON

help @ threatint.eu