Critical Flaw in Universal Robots Cobot OS Enables Unauthenticated Takeover

What happened: A critical command injection vulnerability has been found in Universal Robots’ PolyScope 5 operating system, which runs the company’s collaborative robots. Tracked as CVE-2026-8153 with a CVSS score of 9.8, it affects all PolyScope versions before 5.25.1.

Why it matters: An unauthenticated attacker can send crafted commands through the Dashboard Server network port that execute directly on the robot’s OS. This can fully compromise the robot controller, affecting confidentiality, integrity, and availability.

Industry context: Universal Robots has issued a patch in version 5.25.1, which users must install to be protected. Network security and segmentation matter, because a compromised workstation on the same network could hijack nearby robots where segmentation is absent.

Our take: Event highlights how networked cobots are exposed endpoints, and patching plus segmentation should be treated as baseline plant-floor hygiene.