{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/b2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":6.6,"id":"CVE-2025-2894"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Go1","Go2","B2","G1","R1","H1","Figure 02","CloudSail service","X3 vehicles"],"_cs_severities":["critical"],"_cs_tags":["embodied-ai","robot","iot","vulnerability","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Unitree","BMW","GXO","Agility Robotics","Sellafield"],"content_html":"\u003cp\u003eEmbodied AI systems, such as humanoid and quadruped robots like the Unitree Go1, Go2, B2, G1, R1, and H1 models, are increasingly integrated into various sectors, including manufacturing, logistics, and security. Research has uncovered critical vulnerabilities in these systems that allow attackers to compromise the robots remotely. These vulnerabilities include undocumented backdoors, exposed APIs, and flaws in the Bluetooth Low Energy and Wi-Fi provisioning interfaces. Successful exploitation can lead to unauthorized access, data exfiltration (including audio, video, and spatial mapping), and the potential to manipulate the robot\u0026rsquo;s physical actions. The risk is heightened by the cloud-dependent architecture and centralized control mechanisms common in these platforms. These vulnerabilities enable attackers to compromise fleets of robots and create physical botnets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker locates vulnerable Unitree robot via exposed API (CVE-2025-2894) due to weak or default credentials.\u003c/li\u003e\n\u003cli\u003eAttacker exploits undocumented backdoor in the CloudSail service (CVE-2025-2894) to gain initial access.\u003c/li\u003e\n\u003cli\u003eAttacker leverages hardcoded cryptographic keys and trivial authentication bypass in the Bluetooth Low Energy and Wi-Fi provisioning interface (UniPwn research).\u003c/li\u003e\n\u003cli\u003eAttacker injects commands into the Wi-Fi setup process, achieving root-level access to the robot.\u003c/li\u003e\n\u003cli\u003eAttacker uses compromised robot to wirelessly propagate the exploit to nearby Unitree robots, creating a physical botnet.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates sensitive data, including audio, video, and spatial mapping data, to an external server at IP address 43.175.229.18.\u003c/li\u003e\n\u003cli\u003eAttacker bypasses normal controller and triggers physical actions, manipulating the robot\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eAttacker uses visual prompts injected into the robot\u0026rsquo;s environment to steer autonomous driving, drone landing, and tracking tasks without compromising the underlying software.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised embodied AI systems can lead to significant data breaches, unauthorized access to sensitive environments, and potential physical harm. The Unitree G1 robot, for example, was found to continuously exfiltrate multimodal sensor data, including audio and video, every 300 seconds. A single compromised robot can enable lateral movement across nearby robots, creating a physical botnet. In a manufacturing setting, a compromised robot could disrupt production processes or cause physical damage to equipment. In security applications, a compromised robot could provide unauthorized access to facilities or be used for surveillance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply network segmentation to isolate robot networks and restrict their access to sensitive data to prevent data exfiltration as described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to the IP address 43.175.229.18, used for unauthorized data exfiltration by compromised Unitree G1 robots, as highlighted in the IOC section.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication mechanisms and regularly update credentials to prevent unauthorized access through exposed APIs and backdoors, as mentioned in the attack chain description covering CVE-2025-2894.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unitree Robot Command Injection via WiFi Provisioning\u0026rdquo; to identify attempts to exploit the Bluetooth Low Energy and Wi-Fi provisioning interface vulnerabilities described in the attack chain.\u003c/li\u003e\n\u003cli\u003eConduct regular vulnerability assessments and penetration testing of embodied AI systems to identify and remediate security weaknesses proactively.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T12:00:00Z","date_published":"2026-05-06T12:00:00Z","id":"/briefs/2026-05-embodied-ai-vulns/","summary":"Commercially available Unitree robots are susceptible to multiple vulnerabilities, including hardcoded keys and command injection, allowing attackers to gain root-level access, exfiltrate data, and potentially create physical botnets.","title":"Vulnerabilities in Unitree Embodied AI Systems","url":"https://feed.craftedsignal.io/briefs/2026-05-embodied-ai-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — B2","version":"https://jsonfeed.org/version/1.1"}