Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Credentials are embedded in the public app binary, so any remote attacker can extract and use them without authentication or interaction, yielding full read/write control over fleet telemetry and commands.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number.
AnalysisAI
Hard-coded MQTT broker credentials in Yarbo Android and iOS applications allow remote unauthenticated attackers to subscribe to and publish on the cloud MQTT brokers serving the entire global Yarbo robot fleet. Because the credentials are identical across all users and devices and trivially extractable via APK decompilation, anyone knowing a target robot's serial number can read its telemetry or send arbitrary commands. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CISA ICS advisory reflect the systemic, fleet-wide nature of the exposure.
Technical ContextAI
The affected components are the Yarbo Android/iOS mobile applications (cpe:2.3:a:yarbo:yarbo_android/ios_mobile_application) and the backing Yarbo cloud MQTT infrastructure (cpe:2.3:a:yarbo:yarbo_cloud_mqtt_infrastructure). MQTT is a lightweight publish/subscribe protocol commonly used for IoT telemetry and command channels, where clients authenticate to a broker and are typically authorized per-topic. The root cause is CWE-798 (Use of Hard-coded Credentials): a single shared username/password is compiled into the mobile binary and used by every installation, so reverse engineering one APK yields full broker access. Compounding the issue, the broker's ACLs allow wildcard subscription across all robot telemetry topics and publishing to any robot's command topic keyed only by serial number, meaning the credential is also over-privileged.
RemediationAI
No vendor-released patch identified at time of analysis from the provided references; remediation requires Yarbo to rotate the shared MQTT credentials, migrate to per-device or per-user credentials (for example, X.509 client certificates or short-lived JWTs provisioned per robot), and tighten broker ACLs so each client can only subscribe and publish to its own topic namespace rather than fleet-wide wildcards. Operators should monitor https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-01 for an updated mobile app version and install it once released. Until a fix ships, compensating controls are limited because the broker is vendor-operated, but Yarbo can server-side revoke the leaked credentials and force re-authentication (side effect: existing app installs will lose connectivity until updated), and customers should treat robot serial numbers as sensitive, avoid publishing them in photos or marketplace listings, and where possible power down robots when unattended to limit availability impact from rogue commands.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36434
GHSA-65ch-m8fq-jhr5