Platform
other
Component
dashboard-server
CVE-2020-10265 describes a critical authentication bypass vulnerability in the DashBoard server component of Universal Robots Robot Controllers. This server, accessible on port 29999, allows attackers to control core robot functions without any authentication or authorization. Affected versions include CB2 SW Version 1.4 and above, CB3 SW Version 3.0 and above, and e-series SW Version 5.0 and above. A patched version from Universal Robots is the recommended solution.
The lack of authentication in the DashBoard server presents a severe risk. An attacker could remotely control the robot, potentially causing physical harm, disrupting operations, or stealing sensitive data. Attackers could initiate or terminate programs, shut down the robot, or reset safety features, leading to unpredictable and potentially dangerous behavior. The blast radius extends to any environment utilizing vulnerable Universal Robots controllers, impacting manufacturing, research, and other automation-dependent sectors. This vulnerability is particularly concerning given the potential for physical damage and operational disruption.
CVE-2020-10265 was publicly disclosed on April 6, 2020. While no active exploitation campaigns have been definitively linked to this CVE, the ease of exploitation and the potential for significant impact make it a high-priority vulnerability. The absence of authentication makes it trivial to exploit, increasing the likelihood of opportunistic attacks. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.36% (58% percentile)
CVSS Vector
The primary mitigation is to upgrade to a patched version of the Universal Robots Robot Controller firmware. Universal Robots has likely released a fix addressing this authentication bypass. Until an upgrade is possible, consider network segmentation to isolate the robot controller from external networks. Implement a Web Application Firewall (WAF) to block access to port 29999 from untrusted sources. Monitor network traffic for unusual activity targeting port 29999. After upgrade, confirm functionality by attempting to access the DashBoard server with and without valid credentials to ensure authentication is enforced.
This CVE indicates that the Universal Robots DashBoard server does not require authentication, allowing unauthorized remote control of critical robot functions. To resolve this issue, a robust authentication and authorization mechanism should be implemented to restrict access to the DashBoard server to authorized users only. Refer to the Universal Robots documentation for specific instructions on how to configure authentication and authorization.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-10265 is a critical vulnerability affecting Universal Robots Robot Controllers, allowing unauthorized control due to a missing authentication mechanism in the DashBoard server.
If you are using Universal Robots Robot Controllers with CB2 SW Version 1.4 or higher, CB3 SW Version 3.0 or higher, or e-series SW Version 5.0 or higher, and have not upgraded to a patched version, you are potentially affected.
The recommended fix is to upgrade to a patched version of the Universal Robots Robot Controller firmware provided by Universal Robots. Check their website for available updates.
While no confirmed active exploitation campaigns have been publicly reported, the ease of exploitation makes it a potential target for opportunistic attacks.
Refer to the Universal Robots website and security advisories for the latest information and updates regarding CVE-2020-10265.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.