Vulnerability Management, Patch/Configuration Management

Universal Robots patches critical 9.8 flaw in ‘cobots’ OS

Cellphone with web page of Danish cobot company Universal Robots AS in front of business logo. Focus on top-left of phone display.

Danish robotics company Universal Robots recently patched a critical 9.8 bug in the Dashboard Server of its Universal Robots PolyScope 5 operating system for its collaborative robots, or "cobots."

Universal Robots released a patch in its PolyScope 5.25.1 software update to address the flaw and while there’s no evidence yet of active exploitation, the company recommended that users install the update as soon as possible.

According to Universal, the flaw — CVE-2026-8153 — can potentially let an unauthenticated attacker who can reach the Dashboard Server network port to craft commands that are executed on the robot's operating system

Security pros said the danger to customers of Universal Robots is that attackers can disrupt production lines, alter operational parameters, or use the controller as a pivot point to reach other systems on the network.

Universal Robots has deployed more than 100,000 cobots across thousands of companies across the United States, Mexico, Europe, and the Asia-Pacific, so manufacturers were put on notice in an advisory late last week by the Cybersecurity and Infrastructure Security Agency (CISA).

“In manufacturing, downtime has a direct cost, and depending on the application, safety implications as well,” said Shane Barney, chief information security officer at Keeper Security. “Incidents like this have a way of revealing gaps that existed long before the CVE was published. Use this moment to audit your broader OT network exposure. Flat network segments, dormant credentials and unmonitored devices rarely appear on a patch list, but they're exactly what attackers exploit once they're inside.”

Damon Small, board member at Xcape, Inc., added that the critical RCE in the PolyScope software poses a severe operational risk because it bridges digital exploitation with physical kinetic impact. Small said for industrial manufacturers, an unauthenticated attacker achieving root access means they can alter precise safety limits, manipulate the physical movements of the cobots, or brick entire production lines, turning collaborative robots into workplace hazards.

“Security leaders in manufacturing must treat this with the highest urgency, but because firmware updates on the factory floor require costly downtime, the immediate play is isolation rather than an immediate flash,” said Small. "Organizations should audit their OT networks to ensure no robot dashboard servers are exposed to the internet, enforce strict firewall rules to isolate the industrial control systems layer, and disable the vulnerable dashboard server functionality entirely if it’s not actively required for operations.”

Kevin Surace, chair at TokenCore said the conditions for this kind of exploit at a factory are more common than people might think.

“Engineering workstations often have broad access, and remote support pathways are frequently tied to ordinary identity systems,” said Surace. “So the realistic attack path is not ‘random attacker on the internet directly reaches every robot.' It’s ‘attacker compromises a legitimate identity, gets onto the right network, finds the reachable dashboard service, then exploits the vulnerability.' That first step is now child’s play against organizations still relying on phishable MFA, push approvals, SMS, one-time codes, or auth apps.”

Surace said security teams should respond with a joint OT, IT, engineering, and production plan: Patch the robot controllers, segment the robot networks, monitor for suspicious dashboard access, and harden the identities that can reach those systems.

“Otherwise, teams can patch this bug, but leave the attacker’s favorite path wide open,” said Surace.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds