Yarbo Mobile App & Cloud: Critical Robot Fleet Vulnerabilities

Overview of Yarbo Mobile App & Cloud Vulnerabilities

Runtime Rebel is issuing an urgent advisory regarding critical vulnerabilities identified in the Yarbo Android/iOS mobile application and its associated cloud infrastructure. Successful exploitation of these flaws could allow unauthorized actors to obtain hard-coded credentials, gain full access to real-time telemetry data, and crucially, send operational commands to the entire global Yarbo robot fleet. This presents a severe risk, particularly for commercial facilities relying on Yarbo robotics worldwide, as confirmed by CISA Advisory ICSA-26-162-01.

The vulnerabilities, tracked as CVE-2026-10557 and CVE-2026-7368, expose a fundamental security weakness in the authentication and authorization mechanisms. Organizations utilizing Yarbo products are strongly advised to review their security posture and implement the recommended mitigations immediately to prevent potential compromise of their robotic systems.

Technical Analysis: Hard-coded Credentials and Missing Authorization

Exploiting Yarbo Android/iOS Mobile App Hard-coded Credentials (CVE-2026-10557)

The primary vulnerability, CVE-2026-10557, stems from the inclusion of hard-coded MQTT broker credentials within the Yarbo Android and iOS applications. These credentials are not unique to individual users or devices; they are identical across the entire ecosystem. Crucially, they are embedded directly within the application binary, making them readily extractable through standard reverse-engineering techniques like APK decompilation.

With these credentials, an attacker can access the cloud MQTT brokers, which carry real-time telemetry data for the entire global Yarbo robot fleet. The implications are far-reaching: an attacker can not only subscribe to wildcard topics to monitor all robot telemetry but also publish to any robot’s command topic, requiring only the robot’s serial number. This CVE has been assigned a CVSS v3.1 base score of 9.8, classifying it as CRITICAL severity, highlighting the ease of exploitation (Network access, Low attack complexity, No privileges required, No user interaction) and high impact on confidentiality, integrity, and availability. This vulnerability aligns with CWE-798: Use of Hard-coded Credentials.

Missing Authorization in Yarbo Cloud Infrastructure (CVE-2026-7368)

Compounding the credential issue is CVE-2026-7368, a critical missing authorization vulnerability in the Yarbo cloud. This flaw means that the cloud infrastructure does not enforce per-device or per-user authorization. Consequently, any client possessing valid credentials—whether the shared hard-coded credentials from CVE-2026-10557 or even legitimate per-user credentials—can subscribe to wildcard topics covering all robots globally. Furthermore, they can publish commands to any robot using only its serial number, which is openly disclosed in the telemetry stream.

This vulnerability implies that even if the hard-coded credentials were removed from the app, a single compromised legitimate credential could still grant fleet-wide access due to the lack of granular access controls. This CVE carries a CVSS v3.1 base score of 8.1, rated HIGH severity, indicating significant impact on confidentiality and integrity (CWE-862: Missing Authorization).

Both vulnerabilities affect Yarbo Android/iOS mobile applications running versions prior to 3.17.4 and the Yarbo Cloud MQTT infrastructure across all versions.

Actionable Recommendations and Mitigations

To address the serious risks posed by these vulnerabilities, particularly for Yarbo robot fleet control vulnerability mitigation, security professionals should prioritize the following actions:

• Immediate Application Update: The most critical step for users is to update the Yarbo mobile app to version 3.17.4 or later. This update directly addresses the hard-coded credentials issue.
• Server-Side Authorization Enforcement: Yarbo has indicated that server-side broker authorization will be automatically enforced upon deployment of the May 2026 update. While no direct user action is required for the server-side fix, ensuring mobile apps are updated is paramount to benefit from the full remediation.
• Network Exposure Minimization: Minimize network exposure for all control system devices and systems. Ensure they are not directly accessible from the internet. This reduces the attack surface for potential exploitation attempts, including efforts to detect unauthorized Yarbo MQTT access.
• Network Segmentation: Locate control system networks and remote devices behind robust firewalls, isolating them from broader business networks. This limits potential lateral movement in the event of a breach.
• Secure Remote Access: If remote access is essential, employ secure methods such as Virtual Private Networks (VPNs). Crucially, ensure VPNs are up-to-date and recognize that their security is dependent on the connected devices’ posture.
• Impact Analysis and Risk Assessment: Before deploying any defensive measures, conduct a thorough impact analysis and risk assessment specific to your operational environment.
• Defense-in-Depth Strategy: CISA recommends implementing a defense-in-depth strategy for Industrial Control Systems (ICS) cybersecurity, as detailed in their ICS webpage resources.
• Reporting Suspicious Activity: Organizations observing suspected malicious activity related to these vulnerabilities should follow established internal incident response procedures and report findings to CISA for broader tracking and correlation.
• Employee Awareness for Phishing and Social Engineering: Although not directly tied to these specific vulnerabilities, CISA also advises measures to protect against social engineering and phishing attacks, as they remain common initial access vectors. Avoid clicking unsolicited web links or opening attachments, and refer to CISA’s guidance on avoiding email scams and social engineering attacks.