Patch Now: Critical Flaw in OT Robot OS Gives Attackers Control

ICS/OT SECURITY VULNERABILITIES & THREATS PHYSICAL SECURITY CYBERSECURITY OPERATIONS NEWS Patch Now: Critical Flaw in OT Robot OS Gives Attackers Control An unauthenticated attacker can exploit the command injection vulnerability to gain remote access to robotic systems, causing significant disruption to the environment. Elizabeth Montalbano,Contributing Writer May 20, 2026 4 Min Read SOURCE: GEN A VIA ADOBE STOCK PHOTO A critical command injection vulnerability in the operating system (OS) for collaborative robots used across operational technology (OT) environments allows an unauthenticated attacker to execute commands on the system. Exploiting the flaw could threaten the integrity of the system and potentially the safety of those interacting with it. Danish company Universal Robots has patched the vulnerability, tracked as CVE-2026-8153 and found in the Dashboard Server interface of Universal Robots PolyScope 5. The flaw exists because the Dashboard Server accepts user-controlled input and passes it to the underlying OS without proper neutralization of special elements, according to a company security advisory. The flaw has a CVSS 3.1 base score of 9.8 and allows anyone who can reach the Dashboard Server network port to craft commands that are executed on the robot's operating system. This scenario means that an unauthenticated attacker with network access can achieve remote code execution (RCE) and compromise the controller. Related:Taiwan Bullet Train Hack Highlights Cybersecurity Gaps in Rail Systems Universal Robots credited Vera Mens of Claroty Team82 with discovery and responsible disclosure of the flaw, and acknowledged coordination through the Cybersecurity and Infrastructure Security Agency (CISA) and CERT/CC's VINCE platform. CISA also put out its own advisory on the vulnerability. How CVE-2026-8153 Puts 'Cobots' at Risk Universal Robots' PolyScope systems are are collaborative robotic systems, commonly referred to as "cobots," and are deployed across manufacturing, logistics, warehousing, automotive, healthcare, and other industrial production environments.  "The flaw affects the robot controller itself, which is effectively a Linux-based computer connected directly to operational technology and physical machinery," Morey Haber, chief security advisor at BeyondTrust, tells Dark Reading. Universal Robots has noted in its advisory that remote exploitation of CVE-2026-8153 requires the robot's Dashboard Server to be enabled in the UI, and its port must be reachable by the attacker. The company's robots are designed so that they are not accessible directly from the Internet, and companies typically have firewalls that prevent direct inbound Internet access to OT systems, according to Universal Robots.  Still, exploiting the flaw can significantly impact the PolyScope 5 robotic system's confidentiality, integrity, and availability, Haber says. That's because attackers could gain administrative-level control over the robotic controller without valid credentials and operate undetected, even over a persistent period of time, he says.  Related:AI-Driven Cyberattack on Mexico Couldn't Breach OT Systems Security, Safety Concerns for OT Systems Exploitation has implications beyond the control systems as well because, in many environments, these robotic systems communicate with PLCs, manufacturing execution system (MES) platforms, ERP applications, and remote management infrastructure. This makes controllers "highly interconnected OT assets rather than isolated machines, according to the manufacturers own specifications," Haber says. Potentially disruptive outcomes include production shutdowns, sabotage of manufacturing workflows, ransomware deployment, destruction of operational and configuration data, or manipulation of robotic precision and calibration, Haber notes. Exploiting the flaw not only has security implications across all these systems, but also has safety implications as well, since "industrial robots bridge the digital and physical worlds," Haber notes. "If attackers manipulate robot behavior, disable safeguards, alter programmed movements, or interrupt safety logic, the consequences move beyond cybersecurity and into human safety," he says. "A compromised cobot may no longer operate predictably around workers, assembly lines, or with hazardous materials." Related:Serial-to-IP Devices Hide Thousands of Old & New Bugs This could pose not only an operational hazard, but also a critical infrastructure threat due to production outages or equipment damage, or even a physical threat to humanity via an environmental catastrophe, Haber says. Mitigations for the PolyScope 5 Flaw At this time, no known exploitation has occurred. Universal Robots "strongly recommends that all customers update to version 5.25.1 or newer, as soon as possible" effectively patching the vulnerability on all affected systems, according to the advisory. If updating is not immediately available, Universal Robots recommended measures aligned with the CISA's defensive guidance for control system devices, including minimizing network exposure of the robot by placing it and other control system devices behind firewalls and isolating them from business networks. Administrators also should disable the Dashboard Server in PolyScope entirely if it is not used by an application, as well as restrict access to specific trusted hosts or subnet in the OS, Universal Robots said. Haber also recommends "strict segmentation between IT and OT environments" as a general rule in environments using any industrial control system (ICS). He also notes the importance of keeping the Dashboard Server disabled if it's not operationally required, since "remote management interfaces are the control plane for an environment and consistently become high value attack surfaces in industrial environments." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars AI-Powered Cybersecurity for Resource-Constrained Organizations AI-Powered Credential Security: Intelligence Without Exposure How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? More Webinars You May Also Like ICS/OT SECURITY Vehicle Tire Pressure Sensors Enable Silent Tracking by Jai Vijayan MAR 03, 2026 ICS/OT SECURITY Trio of Critical Bugs Spotted in Delta Industrial PLCs by Nate Nelson, Contributing Writer JAN 15, 2026 ICS/OT SECURITY AI in OT Sparks Cascade of Complex Challenges by Arielle Waldman DEC 11, 2025 ICS/OT SECURITY Critical Railway Braking Systems Open to Tampering by Nate Nelson, Contributing Writer NOV 19, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST How Security Teams should apply Threat Intelligence into their Defenses THURS, JUNE 11, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS