CISA Discloses Critical Hard-Coded Credential Flaws in Yarbo Mobile App and Cloud MQTT Infrastructure
CISA disclosed two critical vulnerabilities in Yarbo's Android/iOS mobile app and cloud MQTT infrastructure, including hard-coded broker credentials that could allow attackers to command the entire robot fleet.
CISA has disclosed two critical vulnerabilities affecting Yarbo's Android and iOS mobile applications and its cloud MQTT infrastructure, warning that attackers could exploit hard-coded credentials to take control of the entire global robot fleet. The flaws, tracked as CVE-2026-10557 and CVE-2026-7368, were reported by researcher Markus Lassfolk of Truesec and published in an advisory on June 11, 2026.
CVE-2026-10557 carries a CVSS score of 9.8 and involves hard-coded MQTT broker credentials embedded in the Yarbo mobile application binary. These credentials are identical for all users and all devices, making them easily extractable via APK decompilation. Once obtained, an attacker gains access to cloud MQTT brokers that carry real-time telemetry for the entire global Yarbo robot fleet. The credentials allow wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number.
The second vulnerability, CVE-2026-7368 (CVSS 8.1), is a missing authorization flaw in the Yarbo cloud infrastructure. The cloud does not enforce per-device or per-user authorization, meaning any client with valid credentials—whether the shared hard-coded credentials or legitimate per-user credentials—can subscribe to wildcard topics covering all robots globally and send commands to any robot using only its serial number. CISA notes that even after removal of hard-coded credentials from the app, a single compromised credential could still provide fleet-wide access without per-device access controls.
The affected products include Yarbo Android/iOS mobile application versions prior to 3.17.4 and all versions of the Yarbo Cloud MQTT infrastructure. Yarbo has recommended users update the mobile app to version 3.17.4 or later. Server-side broker authorization will be enforced automatically upon deployment of the May 2026 update, with no user action required. CISA has not reported any known public exploitation of these vulnerabilities at the time of the advisory's release.
The vulnerabilities highlight ongoing risks in IoT and cloud-connected consumer robotics, where hard-coded credentials and missing authorization controls can expose entire fleets to remote takeover. Yarbo, a Chinese company with worldwide deployment in commercial facilities, now faces the challenge of retrofitting proper authentication and authorization into its cloud infrastructure. The May 2026 server-side update is expected to close the authorization gap, but the incident underscores the importance of secure credential management and per-device access controls in connected device ecosystems.