漏洞平台

POC详情： 1fb923d30dee0ac76c67107ee7b50ab40da2a8cb

来源

https://github.com/zgsnj123/CVE-2025-45466

关联漏洞

标题： Unitree Go1 安全漏洞 (CVE-2025-45466)
描述：Unitree Go1是中国宇树（Unitree）公司的一个仿生四足机器人。 Unitree Go1 Go1_2022_05_11及之前版本存在安全漏洞，该漏洞源于硬编码凭据，可能导致访问控制不当。

描述

It is the details of CVE-2025-45466

介绍

# CVE-2025-45466
It is the details of CVE-2025-45466

# CVE Disclosure: CVE-2025-45466  

## Summary

A vulnerability has been discovered in **Unitree Go1** robotic dog (all versions <= `Go1_2022_05_11`) involving **hardcoded plaintext authentication credentials**, which leads to **Incorrect Access Control**. This issue allows remote or local attackers to gain unauthorized access to the system via SSH or SCP, potentially resulting in **remote code execution**, **privilege escalation**, and **information disclosure**.

---

## Vulnerability Details

- **Vulnerability Type:** Incorrect Access Control  
- **Impact:**  
  - Remote Code Execution ✅  
  - Privilege Escalation ✅  
  - Information Disclosure ✅  
- **Attack Vector:**  
  An attacker can extract the firmware, inspect a specific script (`/run.sh`), and find hardcoded plaintext credentials used for SSH/SCP authentication. With these credentials, the attacker can access the robot remotely via:
    - **Wi-Fi client mode**  
    - **Wi-Fi AP mode**  
    - **Physical access via Ethernet interface**

---

## Affected Products

- **Vendor:** [Unitree Robotics](https://www.unitree.com/cn/go1)  
- **Product:** Unitree Go1  
- **Affected Versions:** All firmware versions ≤ `Go1_2022_05_11`  
- **Affected Component:** `/run.sh` in the firmware  
- **Firmware Package URL (Archived):**  
  [Go1_2022_05_11_e0d0e617.zip](https://unitreeapp.oss-cn-beijing.aliyuncs.com/Go1_2022_05_11_e0d0e617.zip)

---

## Proof of Concept (PoC)

1. **Download the affected firmware**  
2. grep -i "password" run.sh
3. ssh root@<robot_ip> # using the hardcoded password
4. Do anything you want with root permission.

## Result
As the screenshot shows below, the password of root access is saved in passwd.sh(figure 1). And this file can be identified in the same package(figure 2)

figure 1:
![image](https://github.com/user-attachments/assets/d29c749f-13f1-4aca-92e3-c13654b8d4e3)

figure 2:
![image](https://github.com/user-attachments/assets/08cd9f4d-f95f-41cf-a8a3-64011fd87626)

文件快照


 [4.0K]  /data/pocs/1fb923d30dee0ac76c67107ee7b50ab40da2a8cb
└── [2.0K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。