CISA Flags Hard-Coded Credentials in Yarbo Mobile App and Cloud Infrastructure (CVSS 9.8)
Per CISA's June 11 ICS advisory, the Yarbo Android/iOS mobile application and the vendor's cloud MQTT infrastructure carry hard-coded credentials and missing-authorization flaws rated CVSS v3 9.8.
At a glance
- CISA's June 11 advisory rates the Yarbo mobile app and cloud MQTT infrastructure flaws at CVSS v3 9.8.
- The weaknesses are use of hard-coded credentials and missing authorization, affecting all listed versions.
- Exploitation could expose telemetry data and allow operational commands to be sent to the robot fleet.
VERDICT — CONFIRMED
Per CISA's June 11 ICS advisory, the Yarbo Android/iOS mobile application and the vendor's cloud MQTT infrastructure carry hard-coded credentials and missing-authorization flaws rated CVSS v3 9.8. Successful exploitation could let an attacker obtain the hard-coded credentials, access telemetry data, and potentially send operational commands to the robot fleet. All versions of the mobile app and cloud infrastructure are listed as affected; the China-headquartered vendor's products are deployed worldwide in the commercial facilities sector.
Key facts on file
- CISA's June 11 advisory rates the Yarbo mobile app and cloud MQTT infrastructure flaws at CVSS v3 9.8.
- The weaknesses are use of hard-coded credentials and missing authorization, affecting all listed versions.
- Exploitation could expose telemetry data and allow operational commands to be sent to the robot fleet.


