CISA warns of critical vulnerability in Universal Robots' Polyscope 5 software that could allow unauthorized control over industrial robots, potentially causing physical damage or safety hazards.
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Universal Robots Polyscope 5 to its Known Exploited Vulnerabilities catalog. The vulnerability, tracked as CVE-2023-46608, allows remote attackers to execute arbitrary code on affected robots, potentially enabling unauthorized control over industrial equipment used in manufacturing, healthcare, and other critical infrastructure.
Affected versions include Universal Robots Polyscope 5.0 through 5.12. Universal Robots has released version 5.13 to address this vulnerability. The CVSS v3.1 base score is 8.8 (High), with a CVSS vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
The vulnerability stems from improper authentication in the UR Network Service component. An unauthenticated attacker on the same network could send specially crafted packets to the robot's control interface, gaining full control over robot movements and operations. This could lead to physical damage to equipment, injury to personnel, or disruption of critical manufacturing processes.
Universal Robots has released a security advisory detailing the vulnerability and providing mitigation steps. Organizations using affected versions should immediately upgrade to Polyscope 5.13 or later. For systems that cannot be upgraded immediately, Universal Robots recommends implementing network segmentation to isolate robots from untrusted networks and implementing strict firewall rules to restrict access to the robot's control interface.
CISA urges all organizations using Universal Robots to review their security posture and implement the recommended mitigations. The agency has observed active exploitation of this vulnerability in the wild, particularly in manufacturing environments where robots are connected to enterprise networks for monitoring and control purposes.
Universal Robots is a leading manufacturer of collaborative robots (cobots) used in various industries worldwide. The Polyscope software is the primary interface for programming and controlling these robots. According to the company, over 60,000 Universal Robots are deployed globally in industries ranging from automotive manufacturing to food processing.
The vulnerability was discovered by researchers at the OT Security Lab and responsibly disclosed to Universal Robots in June 2023. The company worked with researchers to develop a patch before public disclosure.
For organizations with legacy systems that cannot be upgraded, Universal Robots has provided additional hardening guidelines, including disabling unnecessary network services and implementing access control lists. Detailed instructions are available in the Universal Robots Security Advisory.
CISA encourages organizations to report any suspected exploitation of this vulnerability or other cybersecurity issues to the agency through its reporting portal. The agency continues to monitor the situation and will provide updates as new information becomes available.
This alert underscores the growing convergence of IT and operational technology (OT) security. As industrial robots become increasingly connected to enterprise networks, they present new attack surfaces that must be secured to protect both digital assets and physical safety.
Organizations should review their entire attack surface, including all connected devices, to ensure comprehensive security coverage. The CISA OT Security page provides additional resources for securing industrial control systems and connected devices.
This is a developing situation. CISA will update this alert as new information becomes available. Organizations are encouraged to cisa.gov/news-events/newsletters) for the latest cybersecurity alerts and best practices.
Comments
Please log in or register to join the discussion