Skip to main content

Yarbo firmware CVE-2026-7413

| EUVDEUVD-2026-28398 HIGH
Hidden Functionality (CWE-912)
2026-05-07 AHA GHSA-pq5m-hxx2-xhw5
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 17:30 vuln.today
CVE Published
May 07, 2026 - 16:09 nvd
HIGH 7.2

DescriptionCVE.org

A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and survives factory reset and ordinary firmware updates.

AnalysisAI

Undocumented persistent backdoor in Yarbo firmware v2.3.9 grants remote privileged access that survives factory reset and firmware updates. The backdoor requires high-privilege authentication (CVSS PR:H) but provides complete system control once accessed. No public exploit identified at time of analysis, though GitHub repository reference suggests technical disclosure exists. CVSS 7.2 reflects the high-privilege requirement, but persistence across resets and undocumented nature indicate significant supply chain or insider threat risk.

Technical ContextAI

This vulnerability represents CWE-912 (Hidden Functionality), a supply chain security concern involving intentionally embedded backdoor code in IoT device firmware. The affected product is Yarbo firmware version 2.3.9, identified by CPE cpe:2.3:a:yarbo:firmware:*:*:*:*:*:*:*:*. Unlike typical vulnerabilities arising from coding errors, CWE-912 involves deliberately placed functionality that bypasses normal access controls. The backdoor's persistence through factory reset indicates it resides in non-volatile storage outside user-accessible partitions, and its survival through ordinary firmware updates suggests it may be re-injected during the update process or stored in a protected boot partition. The description characterizes authentication as 'unauthenticated or weakly authenticated,' but the CVSS vector indicates PR:H (high privileges required), suggesting either hardcoded credentials known to the backdoor authors or a secondary authentication bypass mechanism.

RemediationAI

No vendor-released patch identified at time of analysis. The standard remediation approach of firmware updates is explicitly ineffective as the description states the backdoor 'survives ordinary firmware updates,' indicating re-injection or protected persistence mechanisms. Organizations running Yarbo firmware v2.3.9 should immediately implement network-level isolation: segment affected devices to dedicated VLAN with strict firewall rules blocking all inbound network access except from authorized management systems with IP whitelisting and mandatory MFA. Monitor all authentication attempts to Yarbo devices through SIEM correlation for credential abuse patterns. If devices support it, disable remote management features entirely and require physical console access, though description notes backdoor 'cannot be disabled via user-facing settings.' Contact Yarbo vendor directly for supply chain investigation and remediation guidance, referencing CVE-2026-7413 and GitHub disclosure at https://github.com/Bin4ry/yarbo-nat-in-my-back-yard. Consider hardware replacement if vendor cannot provide cryptographically signed firmware update that verifiably removes backdoor code and implements secure boot mechanisms. Network isolation carries operational impact of preventing legitimate remote management but is necessary compensating control until vendor provides verified clean firmware.

CVE-2014-8656 CRITICAL POC
10.0 Nov 06

The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH have a d

CVE-2013-2645 CRITICAL POC
9.3 Oct 06

Multiple cross-site request forgery (CSRF) vulnerabilities on the TP-LINK WR1043N router with firmware TL-WR1043ND_V1_12

CVE-2014-8657 MEDIUM POC
5.0 Nov 06

The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows r

CVE-2014-8655 MEDIUM POC
5.0 Nov 06

The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows r

CVE-2014-8654 MEDIUM POC
6.8 Nov 06

Multiple cross-site request forgery (CSRF) vulnerabilities in Compal Broadband Networks (CBN) CH6640E and CG6640E Wirele

CVE-2014-8653 MEDIUM POC
4.3 Nov 06

Cross-site scripting (XSS) vulnerability in Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 wit

CVE-2026-11405 CRITICAL
9.8 Jul 06

Authentication bypass in Tenda router firmware (AC10, AC5, AC6, FH1201, W15E) lets any user log in as administrator via

CVE-2026-7415 CRITICAL
9.8 May 07

Anonymous MQTT access in Yarbo firmware v2.3.9 allows remote unauthenticated attackers on the local network to fully con

CVE-2026-7414 CRITICAL
9.8 May 07

Hardcoded administrative credentials in Yarbo firmware v2.3.9 allow remote unauthenticated attackers to gain full device

CVE-2016-6257 MEDIUM
6.5 Aug 02

The firmware in Lenovo Ultraslim dongles, as used with Lenovo Liteon SK-8861, Ultraslim Wireless, and Silver Silk keyboa

Share

CVE-2026-7413 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy