Executive Summary
In June 2026, critical vulnerabilities were identified in Yarbo's Android and iOS mobile applications and cloud infrastructure. These flaws included hard-coded MQTT broker credentials and inadequate authorization controls, allowing unauthorized access to telemetry data and remote command execution on Yarbo's robotic devices. Exploitation of these vulnerabilities could lead to unauthorized control over the robot fleet and exposure of sensitive user information. Yarbo has since released updates to address these issues, urging users to update their applications to version 3.17.4 or later. This incident underscores the persistent risks associated with hard-coded credentials and misconfigured cloud services in IoT devices. As the adoption of connected devices continues to rise, ensuring robust security measures and regular updates is crucial to prevent unauthorized access and potential exploitation.
Why This Matters Now
The Yarbo vulnerabilities highlight the critical need for secure coding practices and proper cloud configuration in IoT devices. With the increasing integration of such devices into daily life, addressing these security gaps is essential to protect user data and prevent potential cyber threats.
Attack Path Analysis
An attacker exploited hard-coded MQTT broker credentials in the Yarbo mobile applications to gain unauthorized access to the cloud infrastructure. Using these credentials, the attacker subscribed to telemetry data and published commands to any robot in the fleet. The lack of per-device or per-user authorization allowed the attacker to escalate privileges and control multiple devices. The attacker moved laterally across the cloud environment by leveraging the shared credentials and absence of access controls. Establishing command and control, the attacker maintained persistent access to the robot fleet. The attacker exfiltrated sensitive telemetry data from the robots. Finally, the attacker sent malicious commands to the robots, potentially disrupting operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited hard-coded MQTT broker credentials in the Yarbo mobile applications to gain unauthorized access to the cloud infrastructure.
Related CVEs
CVE-2026-10557
CVSS 9.8The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and devices, allowing unauthorized access to telemetry data and potential control over the robot fleet.
Affected Products:
Yarbo Yarbo Android/iOS Mobile Application – < 3.17.4
Yarbo Yarbo Cloud MQTT Infrastructure – all
Exploit Status:
no public exploitCVE-2026-7368
CVSS 8.1The Yarbo cloud infrastructure lacks per-device or per-user authorization, enabling any client with valid credentials to access and control any robot in the global fleet.
Affected Products:
Yarbo Yarbo Android/iOS Mobile Application – < 3.17.4
Yarbo Yarbo Cloud MQTT Infrastructure – all
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Credentials in Files
Application Layer Protocol: Web Protocols
Remote Services: Remote Desktop Protocol
Network Service Scanning
Indicator Removal on Host: File Deletion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Commercial Real Estate
Property management systems using Yarbo robotic fleets face critical exposure to hard-coded MQTT credentials enabling unauthorized fleet access and operational disruption.
Facilities Services
Cloud misconfiguration vulnerabilities in robotic maintenance systems allow attackers to intercept telemetry data and send malicious commands across managed facility networks.
Construction
Construction sites deploying automated robotic equipment face fleet-wide compromise through missing authorization controls, exposing project operations and sensitive location data.
Consumer Services
Service providers utilizing robotic automation face regulatory compliance violations under HIPAA and PCI standards due to unencrypted data transmission vulnerabilities.
Sources
- Yarbo Android/iOS Mobile Application and Cloud Infrastructurehttps://www.cisa.gov/news-events/ics-advisories/icsa-26-162-01Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to exploit shared credentials and move laterally within the cloud environment, thereby reducing the potential blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's unauthorized access would likely be constrained, limiting their ability to exploit shared credentials across the cloud environment.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and control multiple devices would likely be limited, reducing the scope of unauthorized actions.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the cloud environment would likely be constrained, reducing the potential for widespread compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels would likely be limited, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive telemetry data would likely be constrained, reducing data loss.
The attacker's ability to disrupt operations by sending malicious commands to the robots would likely be limited, reducing operational impact.
Impact at a Glance
Affected Business Functions
- Fleet Management
- Customer Service
- Operational Control
Estimated downtime: 3 days
Estimated loss: $50,000
Telemetry data of the entire global Yarbo robot fleet, including operational commands and robot serial numbers.
Recommended Actions
Key Takeaways & Next Steps
- • Implement per-device and per-user authorization to prevent unauthorized access.
- • Remove hard-coded credentials from applications to eliminate shared access vulnerabilities.
- • Enforce least privilege access controls to limit the scope of potential compromises.
- • Monitor and audit access logs to detect and respond to unauthorized activities.
- • Regularly review and update security configurations to address potential misconfigurations.
