Assessment
CFSE Consequence Paths assesses Universal Robots PolyScope 5 Dashboard Server OS command injection (CVE-2026-8153) at EMERGENCY — the worst of 3 risk paths (safety, authority). The dominant consequence is influence over a safety-relevant actuation.
Vulnerability
Universal Robots PolyScope 5 Dashboard Server OS command injection (CVE-2026-8153). Reported attack vector: Network.
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → EMERGENCY
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:4/EC:4/EX:4/PH:4/DP:3/AT:3/CH:4/SR:2/SX:4/OR:2/EV:2/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=EMERGENCY · DP=CRITICAL · AT=CRITICAL → base EMERGENCY · uplift fleet-reachable authority → assessed EMERGENCY.
Unauthenticated network-reachable OS command injection (AV:N/AC:L/PR:N) on the PolyScope controller that drives a collaborative arm operating near humans. RE:4 default-exposed network service; EC:4 single low-complexity request, no auth. AT:3 arbitrary OS command execution = service/admin-level control over the controller and its motion programs (not a signing/OTA trust root). PH:4 OS-level control can alter motion of an industrial cobot designed to work near people -> credible injury/dangerous actuation. DP:3 controller exposes program logic and operational state. CH:4 crosses network->controller->physical/safety boundaries and bridges into actuation. SX:4 scriptable across every reachable controller of same version; SR:2 same software version reuse, not a shared secret/key. OR:2 software patch (5.25.1) plus segmentation; no hardware recall. EV:2 vendor+CISA report-backed, no public weaponized PoC. Physical effect inferred from arm control, so EV stays modelled/report-backed.
FLEET_CONTROL_PLANE → EMERGENCY
CPATH:1.0-candidate/TT:FLEET_CONTROL_PLANE/RE:4/EC:4/EX:4/PH:4/DP:3/AT:3/CH:4/SR:3/SX:4/OR:3/EV:2/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=EMERGENCY · DP=CRITICAL · AT=CRITICAL → base EMERGENCY · uplift fleet-reachable authority → assessed EMERGENCY.
Cobots deploy in fleets across cells/lines on flat factory networks; an unauthenticated network RCE is scriptable and self-propagatable to every reachable controller of the same PolyScope version. RE:4 network-default-exposed; EC:4 trivial reproducible exploitation. AT:3 controller-level command authority replicated fleet-wide (not OTA/signing root, so not 4). PH:3 fleet-wide motion influence reduces safety margins across many cells but per-cell severe harm is captured in the safety path. DP:3 process/program data across the fleet. CH:4 cross-domain reusable bridge (one exploit -> many controllers). SR:3 shared software version/exploit portability deployment-wide; SX:4 fleet-scale remote execution without per-device physical access. OR:3 recovery requires patching/segmenting every controller across the deployment (fleet action). EV:2 report-backed advisory, no field-confirmed worm.
ACCOUNT_AUTHORITY → EMERGENCY
CPATH:1.0-candidate/TT:ACCOUNT_AUTHORITY/RE:4/EC:4/EX:4/PH:4/DP:3/AT:3/CH:3/SR:2/SX:4/OR:2/EV:2/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=EMERGENCY · DP=CRITICAL · AT=CRITICAL → base EMERGENCY · uplift fleet-reachable authority → assessed EMERGENCY.
Direct terminal of the flaw itself: full compromise (C:H/I:H/A:H) of the controller OS with no credentials. RE:4 unauthenticated network surface; EC:4 single low-complexity injection. AT:3 attacker gains arbitrary OS command authority over the controller (service/admin-level), able to modify config and programs; not a signing/identity root so not 4. PH:2 availability/workflow disruption of the controller at this terminal (severe actuation harm scored separately). DP:3 exposes program logic, process data, and connected I/O state. CH:3 controller takeover is a strong pivot into both safety and fleet paths. SR:2 version-shared reachability; SX:4 remotely scriptable across reachable targets. OR:2 software patch plus port/network restriction. EV:2 vendor and CISA confirmed, report-backed.
Published baseline
- v3.1 9.8 CRITICAL —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — CNA via NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources