← All articles

Universal Robots PolyScope 5 cobots: unauthenticated RCE on Dashboard Server (CVE-2026-8153, CVSS 9.8) - patch out

Universal Robots, the Danish maker of the PolyScope 5 collaborative-robot controllers used across manufacturing, logistics, automotive, and healthcare, has patched CVE-2026-8153, a CVSS 9.8 OS command injection in the Dashboard Server interface. The server accepts user-controlled input and passes it to the underlying Linux OS without proper neutralization, so anyone with network access to the Dashboard Server port can achieve unauthenticated remote code execution on the robot controller - effectively a Linux machine wired directly into physical machinery. Vera Mens of Claroty Team82 discovered and reported the flaw through CISA and CERT/CC's VINCE coordination. Exploitation requires the Dashboard Server to be enabled in the UI.

Check
Inventory Universal Robots PolyScope 5 deployments and their firmware version. Identify whether the Dashboard Server is enabled and reachable from any network beyond the management VLAN.
Affected
Universal Robots PolyScope 5 controllers with the Dashboard Server enabled and its port reachable by the attacker. Cobots in manufacturing, logistics, automotive, and healthcare are typical deployments.
Fix
Apply Universal Robots' patch for CVE-2026-8153. Disable the Dashboard Server where not strictly needed. Place cobot controllers on a separate OT VLAN with strict ACLs from corporate networks.