A critical command injection vulnerability (CVE-2026-8153, CVSS 9.8) in Universal Robots' PolyScope OS allows unauthenticated remote command execution via the Dashboard Server network port. All PolyScope software versions prior to 5.25.1 are affected. Universal Robots has released a patch in version 5.25.1; users must install it to remediate the flaw. As a workaround, strict network segmentation is crucial to prevent lateral movement from compromised workstations.
Vulnerability Management Critical vulnerability in Universal Robots’ PolyScope OS allows remote command execution May 26, 2026 Share By SC Staff (Adobe Stock) A critical command injection vulnerability has been discovered in Universal Robots' PolyScope 5 operating system, which powers the company's collaborative robots. This flaw allows attackers to remotely execute commands on vulnerable industrial robots without requiring authentication, as reported by Tech Radar. The vulnerability, tracked as CVE-2026-8153 with a CVSS score of 9.8, affects all PolyScope software versions prior to 5.25.1. An unauthenticated attacker can exploit this by crafting commands that execute directly on the robot's operating system via the Dashboard Server network port. This could lead to a complete compromise of the robot controller, impacting confidentiality, integrity, and availability. While Universal Robots has released a patch in version 5.25.1, users must install it to be protected. Network security and segmentation are crucial, as compromised workstations on the same network could hijack nearby robots if proper segmentation is missing. The company advises that its products are not designed for direct internet access, but local network access could still pose a risk. The exploitation of this vulnerability is concerning due to the potential for physical harm to personnel working alongside compromised robots. Source: Tech Radar SC Staff Related Vulnerability Management Zero-day vulnerability in Japanese LMS exploited to deploy Cobalt Strike SC Staff May 26, 2026 The vulnerability, CVE-2026-5426, stems from the use of hard-coded ASP.NET machine keys within the LMS. Vulnerability Management Ghost CMS vulnerability exploited in large-scale campaign SC Staff May 26, 2026 The vulnerability, identified as CVE-2026-26980, affects Ghost versions 3.24.0 through 6.19.0, allowing unauthenticated attackers to steal admin API keys. Vulnerability Management Ubiquiti patches three critical vulnerabilities in UniFi OS SC Staff May 22, 2026 The vulnerabilities, identified as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, allow for unauthorized system changes, path traversal for accessing underlying system files, and command injection attacks, respectively. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds