CVE-2026-8153: Universal Robots PolyScope OS Command Injection — Unauthenticated RCE on Industrial Robots

CVE-2026-8153: Universal Robots PolyScope OS Command Injection

A critical OS command injection vulnerability tracked as CVE-2026-8153 has been disclosed in Universal Robots PolyScope, the software platform used to program and control Universal Robots collaborative robot arms (cobots). The flaw resides in the Dashboard Server interface and enables an unauthenticated remote attacker to craft commands that execute arbitrary code on the robot's underlying operating system.

The vulnerability was published on May 8, 2026, assigned a CVSS v3.1 score of 9.8 (Critical), and affects all PolyScope versions prior to 5.21.1. Universal Robots has released a patched version addressing the issue.

Vulnerability Overview

Affected Products

Technical Details

What Is the PolyScope Dashboard Server?

The Dashboard Server is a TCP-based interface exposed by PolyScope that allows external tools, integration software, and scripts to query and control robot operations programmatically. It is used for tasks such as loading programs, querying robot state, and triggering operational modes. The interface operates without authentication in many default configurations, making it reachable by any device on the same network segment.

Root Cause

The Dashboard Server fails to sanitize attacker-controlled input before passing it to an underlying OS command interpreter. An attacker can craft a specially formatted request that injects shell metacharacters into parameters processed by the server, causing the robot controller's operating system to execute the injected commands.

Because the service runs with elevated privileges on the embedded Linux system powering the robot controller, successful exploitation grants the attacker full OS-level access to the controller.

Exploitation Path

Attacker (network access, no credentials required)
  → Sends crafted Dashboard Server request
    → Malicious input reaches OS command interpreter unsanitized
      → Injected commands execute on robot controller OS
        → Full OS-level control of the robot arm

The attack requires only network access to the robot controller. Universal Robots cobots deployed in manufacturing floors, warehouses, laboratories, or research facilities with inadequate network segmentation are directly exposed.

Impact Assessment

The CVSS 9.8 rating reflects the combination of no authentication, no user interaction, full impact on confidentiality/integrity/availability, and the safety implications unique to industrial robotic systems.

Remediation

Immediate Action: Update PolyScope

Upgrade to PolyScope 5.21.1 or later. Universal Robots has released this version to address CVE-2026-8153. Update procedures vary by controller generation:

• e-Series controllers: Updates can be applied via USB stick or through the PolyScope web interface under System → Software Update
• CB-Series controllers: Contact Universal Robots or your system integrator for firmware update instructions

Network Segmentation (Defense in Depth)

Regardless of patch status, robot controllers should never be directly exposed to untrusted networks:

1. Isolate robot controllers on a dedicated OT/ICS VLAN separated from corporate IT networks
2. Implement firewall rules blocking inbound connections to the Dashboard Server port (default TCP 29999) from untrusted hosts
3. Disable remote Dashboard Server access if programmatic external access is not required for your deployment
4. Monitor for unexpected network connections to robot controller IP addresses

Interim Mitigation (If Patching Is Delayed)

If immediate patching is not possible:

# On the robot controller (requires existing OS access):
# Block Dashboard Server port at the host firewall
iptables -A INPUT -p tcp --dport 29999 ! -s <trusted_ip_range> -j DROP

Context: OT/ICS Security and Collaborative Robots

Universal Robots cobots are among the most widely deployed collaborative robots globally, found across automotive manufacturing, electronics assembly, food production, pharmaceutical manufacturing, and logistics. The convergence of IT and OT networks — driven by Industry 4.0 initiatives — has increasingly exposed historically air-gapped robot controllers to network-accessible attack surfaces.

This vulnerability class (unauthenticated OS command injection in network-exposed industrial control interfaces) represents one of the most severe risk categories in OT security. Unlike IT systems, compromised industrial robots carry physical safety implications beyond data loss, including potential harm to human workers sharing the same workspace.

Organizations operating Universal Robots deployments should treat this advisory as high urgency, particularly in facilities where:

• Robots operate in close proximity to personnel (human-robot collaboration)
• Robot controllers are connected to plant-wide networks with limited segmentation
• Remote monitoring or integration software requires Dashboard Server access

Key Takeaways

1. CVE-2026-8153 is a CVSS 9.8 critical OS command injection in Universal Robots PolyScope Dashboard Server — exploitable with no authentication
2. All PolyScope versions prior to 5.21.1 are affected; patch to 5.21.1 immediately
3. The attack is network-accessible with zero authentication required — no user interaction needed
4. Physical safety implications elevate urgency beyond typical IT vulnerabilities
5. Network segmentation is essential regardless of patch status — robot controllers must not be reachable from untrusted networks
6. Facilities with Industry 4.0 IT/OT convergence deployments should audit all robot controller network exposure

Sources

• CVE-2026-8153 — NIST NVD
• Universal Robots PolyScope Documentation