{"uuid": "443faa37-89f7-4496-ab87-5de09b0226f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-7414", "type": "seen", "source": "http://takeonme.org/cves/cve-2026-7414/", "content": "CVE-2026-7414: Hardcoded credentials in Yarbo robot firmware v2.3.9\n\nAHA! has discovered an issue affecting Yarbo robot firmware v2.3.9. This disclosure follows AHA!’s standard disclosure policy. Any questions about this disclosure should be directed to cve@takeonme.org.\n\nAffected products\n\n\n\nYarbo robot firmware v2.3.9 (April, 2026)\n\n\nExecutive summary\n\nYarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them.\n\nThis vulnerability is estimated to have a CVSSv31 rating of\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n(9.8, Critical) and the relevant SSVC vectors are Exploitation: PoC and\nTechnical Impact: Total. This issue is an instance of CWE-798.\n\nVulnerability Details\n\nStatic username and password credentials are embedded in configuration files and binaries within the firmware image. These credentials grant administrative access to the device’s SSH and management interfaces. Attempts to change credentials via the device UI are reverted on reboot, as the original values are restored from a read-only firmware partition.\n\nAttacker Value\n\nAn attacker who knows the hardcoded credentials \u2014 which are shared across every device running this firmware \u2014 can immediately authenticate to any affected robot’s management interface without any prior access or exploitation. This is the key that unlocks CVE-2026-7413: the undocumented backdoor SSH service described there accepts these same credentials, providing a root shell to anyone on the internet who reaches the device through the NAT-punching proxy. When combined with CVE-2026-7415, the open MQTT broker can be used to enumerate devices on the network, giving an attacker a target list to attack at scale with these credentials. The result is mass, unauthenticated, persistent compromise of an entire fleet.\n\nMitigation and remediation\n\n\n\nVendor action required: remove hardcoded credentials, introduce unique per-device credentials provisioned at manufacture, and ensure credential changes are persisted correctly across reboots and firmware updates.\n\nTemporary mitigations: restrict SSH and management interface ports via network ACLs, isolate devices on segmented networks, and monitor for unexpected authentication attempts.\n\n\nProof-of-concept\n\nSee Bin4ry’s original disclosure details at Yarbo - NAT in my Back Yard.\n\nTimeline\n\n\n\n2026-March: Initial analysis of the vendor supplied Android APK\n\n2026-April: Initial analysis of the vendor supplied robot filesystem\n\n2026-Apr-12 (Sun): Initial outreach to the vendor and AHA!\n\n2026-Apr-29 (Wed): CVE-2026-7414 reserved\n\n2026-Apr-30 (Thu): Demonstrated at AHA! meeting 0x00eb\n\n2026-May-07 (Thu): Public disclosure of CVE-2026-7414\n\n\nCredit\n\nReported by Andreas Makris (aka Bin4ry), demonstrated and disclosed through AHA!.\n\n", "creation_timestamp": "2026-05-07T14:00:00.000000Z"}