Yarbo Android/iOS Mobile Application and Cloud Infrastructure

Plan PatchCVSS 9.8ICS-CERT ICSA-26-162-01Jun 11, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Yarbo mobile application contains hard-coded MQTT broker credentials that an attacker could extract to gain unauthorized access to the cloud infrastructure. The MQTT broker does not enforce authorization on connection, allowing an attacker with the credentials to view telemetry from all connected robots and send operational commands. Affected versions of the Yarbo Android/iOS app are below v3.17.4; the cloud MQTT infrastructure lacks broker-level authorization controls across all versions.

What this means

What could happen

An attacker could obtain hard-coded credentials from the mobile app, then use them to access the cloud MQTT broker to view telemetry from all connected robots and send operational commands that could alter robot behavior or halt operations.

Who's at risk

Organizations operating Yarbo robotic systems, including landscaping service companies, municipalities using autonomous mowers for grounds maintenance, and facilities managers with fleets of outdoor maintenance robots. Anyone using the Yarbo Android or iOS app to manage robot operations is affected.

How it could be exploited

An attacker obtains hard-coded MQTT credentials from the Android or iOS app binary, then connects directly to the Yarbo cloud MQTT broker over the network to subscribe to telemetry topics and publish commands to the robot fleet without authentication.

Prerequisites

Network access to Yarbo cloud MQTT broker (port 1883 or 8883)
Ability to reverse-engineer or extract hard-coded credentials from the mobile app APK/IPA file

Remotely exploitableNo authentication required at broker levelLow complexity to extract credentialsHard-coded credentials in production appAffects operational control of robot fleet

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (2)

2 pending

ProductAffected VersionsFix Status

Yarbo Android/IOS mobile application<v3.17.4No fix yet

Cloud MQTT infrastructureAll versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the Yarbo MQTT broker to known robot IP addresses or ranges if possible

HARDENINGMonitor MQTT broker for unexpected connection attempts or commands from unknown sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Yarbo mobile app to version 3.17.4 or later on all user devices

HOTFIXVerify that broker authorization enforcement is active after the May 2026 server-side update deployment

CVEs (2)

CVE-2026-10557 CVE-2026-7368

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/22ac50ee-d8bd-4622-803f-eb50aec0d348

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.