Vecna VGo Robot (Update A)

Plan Patch8.8ICS-CERT ICSA-18-114-01Apr 24, 2018

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The Vecna VGo Robot versions 3.0.352164 and 3.0.353662 contain multiple vulnerabilities: unencrypted firmware updates allowing credential extraction (CWE-319), weak access control on the XAMPP Client interface (CWE-285, CWE-284), and potential command injection leading to remote code execution as root (CWE-78). These flaws allow an attacker to capture firmware in transit, extract valid credentials, eavesdrop on video conversations, and potentially execute arbitrary code on the device with elevated privileges.

What this means

What could happen

An attacker with network access and valid credentials could extract credentials from firmware, intercept video conversations, or gain remote code execution with root privileges on the VGo robot, potentially allowing them to control the device or monitor sensitive interactions.

Who's at risk

Transportation and healthcare organizations that operate Vecna VGo telepresence robots for remote interaction and monitoring should prioritize this vulnerability. The VGo is typically used for remote consultations, facility tours, and communications where credential compromise and video interception pose significant risks.

How it could be exploited

An attacker on the network could capture unencrypted firmware updates in transit to extract embedded credentials (CWE-319), use valid credentials to authenticate to the XAMPP client interface (CWE-285/284), and escalate to remote code execution with root access (CWE-78). Alternatively, an attacker with physical access could use USB ports to load malicious code if ports are not locked down.

Prerequisites

Network access to the VGo robot device
Valid XAMPP Client credentials (which can be extracted from captured firmware updates)
VGo automatic updates must be enabled for firmware capture attack vector

Remotely exploitableRequires valid credentials (but credentials can be extracted from firmware)Low complexity attack (firmware capture is passive)Root-level code execution possibleNo patch available for some CVEs (CVE-2018-17931, CVE-2018-17933)Unencrypted firmware updates (CWE-319)Weak access controls

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Go Robot:3.0.352164 | 3.0.353662No fix yet

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGCreate and enforce strong, unique credentials for all VGo XAMPP Client accounts. Change any default credentials.

HARDENINGRestrict physical and network access to VGo robots. Limit who is permitted to use or access the device.

WORKAROUNDPlace physical locks over USB ports on the VGo robot. Disable USB ports in the device settings when not required for legitimate maintenance.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXEnable automatic updates on the VGo robot (Settings > Advanced Settings > Automatic Updates). Ensure the robot has internet access for automatic update downloads.

HOTFIXCheck for and install any available firmware update for CVE-2018-8858. Verify with Vecna if a patched version is available.

Long-term hardening

0/1

HARDENINGSegment the VGo robot on a restricted network or VLAN separate from critical systems and endpoints with sensitive data.

CVEs (4)

CVE-2018-8860 CVE-2018-17933 CVE-2018-17931 CVE-2018-8858

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d13a2a9d-cb94-46ad-8539-f7736dcebca8