CISA 2026-06-11

Yarbo Android/iOS Mobile Application and Cloud Infrastructure

CVE-2026-10557

Machine-generated analysis · WAYSCloud LLM

Hard-coded credentials in the Yarbo mobile app grant access to all robot telemetry and command topics via the cloud MQTT infrastructure.

Context

The advisory concerns the Yarbo Android/iOS mobile application and its associated cloud MQTT infrastructure, used in commercial facilities globally. The application contains hard-coded credentials that allow full access to telemetry and command channels for the entire robot fleet. These credentials are static across all users and devices and can be extracted from the app binary. Server-side authorization was added in May 2026, automatically enforcing access controls without user action.

Operator considerations

- Check: Yarbo mobile app versions on devices
- Patch: Update to version 3.17.4 or later
- Log: Monitor for unauthorized access to MQTT broker topics

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of these vulnerabilities could allow an attacker to obtain hard-coded credentials, gain access to telemetry data, and potentially send operational commands to the robot fleet.

The following versions of Yarbo Android/iOS Mobile Application and Cloud Infrastructure are affected:

Yarbo Android/IOS mobile application

Cloud MQTT infrastructure vers:all/*

Vendor

Equipment

Yarbo

Yarbo Android/iOS Mobile Application and Cloud Infrastructure

Use of Hard-coded Credentials, Missing Authorization

Critical Infrastructure Sectors: Commercial Facilities

Countries/Areas Deployed: Worldwide

Company Headquarters Location: China

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The...

Read the full advisory on CISA →