Yarbo Android/iOS Mobile Application and Cloud Infrastructure (CVE-2026-10557, CVE-2026-7368)

What Happened

Security researchers discovered critical flaws in the Yarbo mobile app and its cloud systems. The app contained hidden passwords that anyone could extract, and the cloud system did not properly check who was accessing it. This means an attacker could potentially track and send commands to any Yarbo robot worldwide. Users should immediately update their Yarbo mobile app to version 3.17.4 or later to protect their devices.

Key Takeaways

• Yarbo Android and iOS mobile applications contain hard-coded MQTT broker credentials extractable via APK decompilation.
• The Yarbo cloud infrastructure lacks per-device authorization, allowing fleet-wide access with a single valid credential.
• Attackers can read global telemetry data and send operational commands to any robot using its serial number.
• Users must update the mobile app to version 3.17.4 or later to mitigate the client-side risk.

Affected Systems

• Yarbo Android mobile application < v3.17.4
• Yarbo iOS mobile application < v3.17.4
• Yarbo Cloud MQTT infrastructure (all versions prior to May 2026 update)

Vulnerabilities (CVEs)

• CVE-2026-10557
• CVE-2026-7368

Attack Chain

An attacker downloads the Yarbo Android or iOS application and decompiles the binary to extract hard-coded MQTT broker credentials. Using these credentials, the attacker connects to the Yarbo cloud MQTT infrastructure. Due to missing authorization controls, the attacker subscribes to wildcard topics to monitor real-time telemetry across the global robot fleet, extracting robot serial numbers. Finally, the attacker uses the extracted serial numbers to publish unauthorized operational commands to specific robots.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — The vulnerabilities exist within the mobile application code (APK/IPA) and the vendor's cloud MQTT infrastructure, which are not typically monitored by enterprise endpoint detection and response solutions. Network Visibility: Low — While network monitoring could potentially detect anomalous MQTT traffic, the malicious activity occurs between an attacker's device and the vendor's cloud infrastructure, bypassing corporate networks entirely. Detection Difficulty: Hard — Detection relies entirely on the vendor's cloud infrastructure logs to identify anomalous MQTT topic subscriptions or command publishing, which are inaccessible to end-users.

Required Log Sources

• MQTT Broker Logs
• Cloud Application Audit Logs

Hunting Hypotheses

Control Gaps

• Lack of per-device authorization on the MQTT broker
• Hardcoded credentials in mobile application binaries

Key Behavioral Indicators

• Anomalous MQTT wildcard subscriptions
• Unexpected command publishing to robot topics from non-standard IP addresses

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Update the Yarbo mobile application to version 3.17.4 or later on all corporate-managed or BYOD devices.

Infrastructure Hardening

• Evaluate whether control system networks and remote devices are located behind firewalls and isolated from business networks.
• Minimize network exposure for all control system devices, ensuring they are not accessible from the internet.

User Protection

• If applicable, use Mobile Device Management (MDM) policies to enforce minimum app version requirements for the Yarbo application.

Security Awareness

• Consider educating users on the risks of using outdated mobile applications that interface with physical or robotic systems.

MITRE ATT&CK Mapping

• T1552.001 - Credentials In Files
• T1078 - Valid Accounts
• T1190 - Exploit Public-Facing Application