Assessment
CFSE Consequence Paths assesses Unitree Go2 unauthenticated DDS RCE via programming_actuator topic (CVE-2026-27509) at CRITICAL — the worst of 2 risk paths (safety, perception). The dominant consequence is influence over a safety-relevant actuation.
Vulnerability
Unitree Go2 unauthenticated DDS RCE via programming_actuator topic (CVE-2026-27509). Reported attack vector: Network (DDS, local network / same DDS domain).
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → CRITICAL
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:3/EX:2/PH:4/DP:3/AT:3/CH:4/SR:3/SX:3/OR:4/EV:3/LS:PATCH_AVAILABLE
Exposure EX=2 (reachability-bound) · bands PH=CRITICAL · DP=HIGH · AT=HIGH → base CRITICAL → assessed CRITICAL.
Unauthenticated DDS publish on domain 0 (local-net/RF-style join, RE:2) carrying api_id=1002 arbitrary Python executed as root via subprocess in the actuator_manager path. Researcher published full repro, no auth bypass needed (EC:3). Root + actuator control gives direct dangerous motion command capability = credible physical safety harm (PH:4). AT:3 = root/service authority modifying/executing arbitrary code, not a signing-root/OTA-root so not 4. Crosses network/device/physical/safety boundaries and RCE+persistence is a reusable bridge (CH:4, boundary_crossing). SR:3 identical flaw reuses across all affected firmware (technique/artifact portability) but no shared secret/key. SX:3 deployment-wide with DDS-domain setup, not self-propagating fleet-scale. Persistence via hotkey-bound scripts surviving reboot, must be manually cleared from /unitree/etc/programming/ (OR:4). Reproduced (EV:3), patched/mitigated by disabling DDS discovery in V1.1.11.
PERCEPTION_PRIVACY → CRITICAL
CPATH:1.0-candidate/TT:PERCEPTION_PRIVACY/RE:2/EC:3/EX:2/PH:4/DP:4/AT:3/CH:4/SR:3/SX:3/OR:4/EV:2/LS:PATCH_AVAILABLE
Exposure EX=2 (reachability-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=HIGH → base CRITICAL · caps privacy-only cap → assessed CRITICAL.
- Same unauthenticated DDS RCE positioning (RE:2, EC:3). Root execution grants full access to onboard live camera and LIDAR / spatial-sensor state and exfiltration (DP:4 world-model/live-camera/nav sensor state).
- perception_feeds_action — true because these same perception streams drive the robot’s navigation and motion decisions, and root can manipulate them. AT:3 root/service authority. PH:2 = surveillance/perception exposure, no direct severe harm on this path. CH:4 reusable bridge crossing device/cloud/physical boundaries (boundary_crossing). SR:3 technique reuses fleet-wide, SX:3 deployment-wide. OR:4 persistence requires manual cleanup. EV:2 (perception/exfil impact is reasoned/report-backed rather than the explicitly reproduced demo, which centered on code execution).
Published baseline
- v4.0 8.5 HIGH —
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X — VulnCheck via NVD
- v3.1 8 HIGH —
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H — VulnCheck via NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources