Vulnerabilities in Unitree Embodied AI Systems

Embodied AI systems, such as humanoid and quadruped robots like the Unitree Go1, Go2, B2, G1, R1, and H1 models, are increasingly integrated into various sectors, including manufacturing, logistics, and security. Research has uncovered critical vulnerabilities in these systems that allow attackers to compromise the robots remotely. These vulnerabilities include undocumented backdoors, exposed APIs, and flaws in the Bluetooth Low Energy and Wi-Fi provisioning interfaces. Successful exploitation can lead to unauthorized access, data exfiltration (including audio, video, and spatial mapping), and the potential to manipulate the robot’s physical actions. The risk is heightened by the cloud-dependent architecture and centralized control mechanisms common in these platforms. These vulnerabilities enable attackers to compromise fleets of robots and create physical botnets.

Attack Chain

1. Attacker locates vulnerable Unitree robot via exposed API (CVE-2025-2894) due to weak or default credentials.
2. Attacker exploits undocumented backdoor in the CloudSail service (CVE-2025-2894) to gain initial access.
3. Attacker leverages hardcoded cryptographic keys and trivial authentication bypass in the Bluetooth Low Energy and Wi-Fi provisioning interface (UniPwn research).
4. Attacker injects commands into the Wi-Fi setup process, achieving root-level access to the robot.
5. Attacker uses compromised robot to wirelessly propagate the exploit to nearby Unitree robots, creating a physical botnet.
6. Attacker exfiltrates sensitive data, including audio, video, and spatial mapping data, to an external server at IP address 43.175.229.18.
7. Attacker bypasses normal controller and triggers physical actions, manipulating the robot’s behavior.
8. Attacker uses visual prompts injected into the robot’s environment to steer autonomous driving, drone landing, and tracking tasks without compromising the underlying software.

Impact

Compromised embodied AI systems can lead to significant data breaches, unauthorized access to sensitive environments, and potential physical harm. The Unitree G1 robot, for example, was found to continuously exfiltrate multimodal sensor data, including audio and video, every 300 seconds. A single compromised robot can enable lateral movement across nearby robots, creating a physical botnet. In a manufacturing setting, a compromised robot could disrupt production processes or cause physical damage to equipment. In security applications, a compromised robot could provide unauthorized access to facilities or be used for surveillance.

Recommendation

• Apply network segmentation to isolate robot networks and restrict their access to sensitive data to prevent data exfiltration as described in the overview.
• Monitor network traffic for connections to the IP address 43.175.229.18, used for unauthorized data exfiltration by compromised Unitree G1 robots, as highlighted in the IOC section.
• Implement strong authentication mechanisms and regularly update credentials to prevent unauthorized access through exposed APIs and backdoors, as mentioned in the attack chain description covering CVE-2025-2894.
• Deploy the Sigma rule “Detect Unitree Robot Command Injection via WiFi Provisioning” to identify attempts to exploit the Bluetooth Low Energy and Wi-Fi provisioning interface vulnerabilities described in the attack chain.
• Conduct regular vulnerability assessments and penetration testing of embodied AI systems to identify and remediate security weaknesses proactively.