# CVE-2025-45467: Insecure Firmware Verification in Unitree Go1
## Summary
A critical vulnerability (**CVE-2025-45467**) has been discovered in **Unitree Go1** robotic dog (all firmware versions ≤ `Go1_2022_05_11`), where the **firmware update mechanism** relies solely on **insecure MD5 hash checks** for integrity verification. This allows an attacker to bypass authentication checks and upload **malicious firmware**, leading to **remote code execution**, **privilege escalation**, and **information disclosure**.
---
## Vulnerability Details
- **Vulnerability Type:** Insecure Permissions
- **Impact:**
- Remote Code Execution ✅
- Privilege Escalation ✅
- Information Disclosure ✅
- **Attack Type:** Remote (via Wi-Fi AP/client mode or Ethernet)
- **Component:** `/run.sh` script in official firmware
- **Verification Method Used:** MD5 checksum only (no signature/authentication)
---
## Affected Products
- **Vendor:** [Unitree Robotics](https://www.unitree.com/cn/go1)
- **Product:** Unitree Go1
- **Affected Versions:** All firmware versions ≤ `Go1_2022_05_11`
- **Firmware Package:**
[Go1_2022_05_11_e0d0e617.zip](https://unitreeapp.oss-cn-beijing.aliyuncs.com/Go1_2022_05_11_e0d0e617.zip)
---
## Proof of Concept (PoC)
1. **Download and extract the official firmware**
```bash
unzip Go1_2022_05_11_e0d0e617.zip
2. **Inspect /run.sh**
3. **The script performs MD5 hash checking, without any form of digital signature or certificate validation.**
4. **Modify the firmware as you want**
5. **Recalculate MD5** of firmware**
6. **Upload the malicious firmware**
7. **Use Wi-Fi (AP/client mode) or Ethernet to push the modified firmware to the robot.**
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view