An OS command injection vulnerability has been identified in the Dashboard Server interface of Universal Robots PolyScope 5. The flaw allows an unauthenticated attacker who can reach the Dashboard Server network port to craft commands that are executed on the robot's operating system. This issue has been assigned CVE-2026-8153 with a CVSS 3.1 base score of 9.8 (Critical) and a CVSS 4.0 base score of 9.3.

A fix has been released in the PolyScope 5.25.1 software update to address this vulnerability. This update is available on the Support Site. Universal Robots strongly recommends that all customers update to version 5.25.1 or newer, as soon as possible.

You should be aware that:

• Remote exploitation of CVE-2026-8153 requires the robot's Dashboard Server to be enabled in the UI, and its port to be reachable by the attacker. UR robots are not designed to be accessible directly from the Internet, and direct inbound Internet access is typically prevented by the company firewall.
• UR robots that are accessible from a LAN may be vulnerable to attacks originating from that network. Therefore, as always, keep your network secure. Security of your network is essential to security of your robot.

Note

This Security Advisory is based on a thorough investigation and all findings that were available at the time of publication. Should new information become available, it is possible that the initial assessment changes and the Security Advisory will be updated.

Summary

Universal Robots PolyScope 5 versions prior to 5.25.1 are affected by an OS command injection vulnerability in the Dashboard Server interface. The Dashboard Server accepts user-controlled input and passes it to the underlying operating system without proper neutralization of special elements. An unauthenticated attacker with network access to the Dashboard Server port can craft commands that are executed on the robot's operating system, leading to remote code execution and compromise of the controller with high impact to confidentiality, integrity, and availability.

Affected Products

Attribution

This vulnerability was discovered and reported by Vera Mens of Claroty Team82. The issue was coordinated through CISA and CERT/CC's VINCE platform. Universal Robots thanks Claroty Team82 for responsibly disclosing this vulnerability.

References

1. MITRE CVE Record: https://www.cve.org/CVERecord?id=CVE-2026-8153
2. Universal Robots Dashboard Server documentation: https://www.universal-robots.com/developer/communication-protocol/dashboard-server/
3. Universal Robots Coordinated Disclosure policy: https://universal-robots.com/articles/coordinated-disclosure

Recommended Actions

1. Upgrade PolyScope 5 to version 5.25.1 or newer.

Compensating Controls

If you cannot immediately update to the recommended version, we recommend the following compensating measures, which are aligned with CISA's defensive guidance for control system devices:

1. Minimize network exposure of the robot. Place the robot and other control system devices behind firewalls and isolate them from business networks.
2. On the Services tab in PolyScope, disable the Dashboard Server interface entirely if it is not used by your application.
3. On the General tab in PolyScope, restrict access to specific trusted hosts or subnet.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at the time of publication.

Revision history