CVE-2020-10266 HIGH

CVE-2020-10266: RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot

Vendor Universal Robots
Product URx
Weakness CWE-353
Published April 6, 2020
Last update September 16, 2024

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand.

Key dates

02Disclosure timeline

April 6, 2020 CVE published
September 16, 2024 Record updated