MSA-16: Command injection

Last modified: 24 Sept 2025

Note

This Security Advisory is based on a thorough investigation and all findings that were available at the time of publication. Should new information become available, it is possible that the initial assessment changes and the Security Advisory will be updated.

Summary

MiR software versions prior to version 3.0.0 are affected by a command injection vulnerability. A malicious HTTP request crafted by an authenticated user could allow the execution of arbitrary commands on the underlying operating system.

CVSS 3.1 Base Score: 8.8 (High)

CVSS 3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Product

Affected software versions

MiR Robots

< 3.0.0

MiR Fleet

< 3.0.0

Attribution

This vulnerability was discovered and reported by Lockheed Martin Red Team.

References

  1. NIST NVD entry: CVE-2025-8748

  2. MiR Cybersecurity Guide: https://supportportal.mobile-industrial-robots.com/documentation/mircybersecurity-guide/mir-cybersecurity-guide/

Recommended Actions

  1. Update to the newest software version, at least version 3.0.0

Compensating Controls

If you cannot immediately update to the recommended version, we recommend the following compensating measures:

  1. Operate the MiR system in a segmented and secured network with strict firewall rules

  2. Secure user accounts on the MiR system as recommended in the MiR Cybersecurity Guide

Revision history

Date

Description

September 24, 2025

Revised as part of a webpage update

March 19, 2024

Initial Advisory publication