CVE-2026-7414: Hardcoded credentials in Yarbo robot firmware v2.3.9#

AHA! has discovered an issue affecting Yarbo robot firmware v2.3.9. This disclosure follows AHA!’s standard disclosure policy. Any questions about this disclosure should be directed to [email protected].

Affected products#

  • Yarbo robot firmware v2.3.9 (April, 2026)

Executive summary#

Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them.

This vulnerability is estimated to have a CVSSv31 rating of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8, Critical) and the relevant SSVC vectors are Exploitation: PoC and Technical Impact: Total. This issue is an instance of CWE-798.

Vulnerability Details#

Static username and password credentials are embedded in configuration files and binaries within the firmware image. These credentials grant administrative access to the device’s SSH and management interfaces. Attempts to change credentials via the device UI are reverted on reboot, as the original values are restored from a read-only firmware partition.

Attacker Value#

An attacker who knows the hardcoded credentials — which are shared across every device running this firmware — can immediately authenticate to any affected robot’s management interface without any prior access or exploitation. This is the key that unlocks CVE-2026-7413: the undocumented backdoor SSH service described there accepts these same credentials, providing a root shell to anyone on the internet who reaches the device through the NAT-punching proxy. When combined with CVE-2026-7415, the open MQTT broker can be used to enumerate devices on the network, giving an attacker a target list to attack at scale with these credentials. The result is mass, unauthenticated, persistent compromise of an entire fleet.

Mitigation and remediation#

  • Vendor action required: remove hardcoded credentials, introduce unique per-device credentials provisioned at manufacture, and ensure credential changes are persisted correctly across reboots and firmware updates.
  • Temporary mitigations: restrict SSH and management interface ports via network ACLs, isolate devices on segmented networks, and monitor for unexpected authentication attempts.

Proof-of-concept#

See Bin4ry’s original disclosure details at Yarbo - NAT in my Back Yard.

Timeline#

  • 2026-March: Initial analysis of the vendor supplied Android APK
  • 2026-April: Initial analysis of the vendor supplied robot filesystem
  • 2026-Apr-12 (Sun): Initial outreach to the vendor and AHA!
  • 2026-Apr-29 (Wed): CVE-2026-7414 reserved
  • 2026-Apr-30 (Thu): Demonstrated at AHA! meeting 0x00eb
  • 2026-May-07 (Thu): Public disclosure of CVE-2026-7414

Credit#

Reported by Andreas Makris (aka Bin4ry), demonstrated and disclosed through AHA!.