Skip to main content

Yarbo Mobile Application CVE-2026-10557

| EUVDEUVD-2026-36434 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-06-12 icscert GHSA-65ch-m8fq-jhr5
9.3
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Credentials are embedded in the public app binary, so any remote attacker can extract and use them without authentication or interaction, yielding full read/write control over fleet telemetry and commands.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 16:01 EUVD
Analysis Generated
Jun 12, 2026 - 14:54 vuln.today
CVE Published
Jun 12, 2026 - 14:05 cve.org
CRITICAL 9.3

DescriptionCVE.org

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number.

AnalysisAI

Hard-coded MQTT broker credentials in Yarbo Android and iOS applications allow remote unauthenticated attackers to subscribe to and publish on the cloud MQTT brokers serving the entire global Yarbo robot fleet. Because the credentials are identical across all users and devices and trivially extractable via APK decompilation, anyone knowing a target robot's serial number can read its telemetry or send arbitrary commands. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CISA ICS advisory reflect the systemic, fleet-wide nature of the exposure.

Technical ContextAI

The affected components are the Yarbo Android/iOS mobile applications (cpe:2.3:a:yarbo:yarbo_android/ios_mobile_application) and the backing Yarbo cloud MQTT infrastructure (cpe:2.3:a:yarbo:yarbo_cloud_mqtt_infrastructure). MQTT is a lightweight publish/subscribe protocol commonly used for IoT telemetry and command channels, where clients authenticate to a broker and are typically authorized per-topic. The root cause is CWE-798 (Use of Hard-coded Credentials): a single shared username/password is compiled into the mobile binary and used by every installation, so reverse engineering one APK yields full broker access. Compounding the issue, the broker's ACLs allow wildcard subscription across all robot telemetry topics and publishing to any robot's command topic keyed only by serial number, meaning the credential is also over-privileged.

RemediationAI

No vendor-released patch identified at time of analysis from the provided references; remediation requires Yarbo to rotate the shared MQTT credentials, migrate to per-device or per-user credentials (for example, X.509 client certificates or short-lived JWTs provisioned per robot), and tighten broker ACLs so each client can only subscribe and publish to its own topic namespace rather than fleet-wide wildcards. Operators should monitor https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-01 for an updated mobile app version and install it once released. Until a fix ships, compensating controls are limited because the broker is vendor-operated, but Yarbo can server-side revoke the leaked credentials and force re-authentication (side effect: existing app installs will lose connectivity until updated), and customers should treat robot serial numbers as sensitive, avoid publishing them in photos or marketplace listings, and where possible power down robots when unattended to limit availability impact from rogue commands.

Share

CVE-2026-10557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy