7.8 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
by @anthonyroussel Activity log
- Created automatic suggestion
-
@anthonyroussel
removed
3 packages
- typstPackages.flupke-headstamp_0_1_0
- typstPackages.flupke-headstamp
- dotnetCorePackages.patchNupkgs
- @anthonyroussel dismissed
Unitree UPK files Hard-Coded Key
Since the encryption algorithm used to protect firmware updates is itself encrypted using key material available to an attacker (or anyone paying attention), the firmware updates may be altered by an unauthorized user, and then trusted by a Unitree product, such as the Unitree Go2 and other models. This issue appears to affect all of Unitree’s current offerings as of February 26, 2026, and so should be considered a vulnerability in both the firmware generation and extraction processes. At the time of this release, there is no publicly-documented mechanism to subvert the update process and insert poisoned firmware packages without the equipment owner’s knowledge.
References
Affected products
- =<20260226v1
Ignored packages (3)
pkgs.dotnetCorePackages.patchNupkgs
None
pkgs.typstPackages.flupke-headstamp
Surface Git reflog metadata in documents
pkgs.typstPackages.flupke-headstamp_0_1_0
Surface Git reflog metadata in documents