{"vulnerability": "CVE-2026-7414", "sightings": [{"uuid": "18291a4c-1494-4b74-b584-8cef3e948e70", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-7414", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mm47joehq425", "content": "\ud83d\udccc CVE-2026-7414 - Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices... https://www.cyberhub.blog/cves/CVE-2026-7414", "creation_timestamp": "2026-05-18T06:07:07.590487Z"}, {"uuid": "dcc2bf0d-589e-43d0-a5d2-64f63371171c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-7414", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mlbpvcbnub2n", "content": "\ud83d\udd34 CVE-2026-7414 - Critical (9.8)\n\nYarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware imag...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-7414/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-07T17:18:05.034613Z"}, {"uuid": "d9520197-7a3b-4c0a-b0ff-d6566dd0237b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-7414", "type": "seen", "source": "http://takeonme.org/cves/cve-2026-7413/", "content": "CVE-2026-7413: Persistent undocumented backdoor access in Yarbo robot firmware v2.3.9\n\nAHA! has discovered an issue affecting Yarbo robot firmware v2.3.9. This disclosure follows AHA!’s standard disclosure policy. Any questions about this disclosure should be directed to cve@takeonme.org.\n\nAffected products\n\n\n\nYarbo robot firmware v2.3.9 (April, 2026)\n\n\nExecutive summary\n\nA hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and survives factory reset and ordinary firmware updates.\n\nThis vulnerability is estimated to have a CVSSv31 rating of\nCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n(7.2, High) and the relevant SSVC vectors are Exploitation: PoC and\nTechnical Impact: Total. This issue is an instance of CWE-912.\n\nVulnerability Details\n\nAn undocumented SSH service is installed and listening on all affected robots, reachable through a NAT-pushing proxy system. This service grants an interactive shell at escalated, root privileges. The component is present in firmware images is routinely restored during normal boot, making access persistent.\n\nAttacker Value\n\nAn attacker who can reach the device either directly or through the supplied NAT-punching proxy and provide a valid username and password can immediately obtain a persistent, privileged foothold on the robot via the undocumented backdoor. With that foothold the attacker can read sensitive telemetry and internal state, run arbitrary commands as root, and install or restore components that survive reboots and firmware updates.\n\nWhen combined with the hardcoded credential described in CVE-2026-7414, an attacker has effectively unfettered access to the target robot, across the internet. When combined with CVE-2026-7415 (open MQTT orchestration) the attacker can locate specific robots to target with this vulnerability. In short, these issues together allow trivial unauthorized persistent control, fleet-wide compromise, and widespread data exposure.\n\nMitigation and remediation\n\n\n\nVendor action required: remove the undocumented service, provide a documented authentication mechanism, and ensure firmware updates/factory resets effectively remove legacy/backdoor components.\n\nTemporary mitigations: block the service’s listening port at network perimeter (host or network firewall), isolate devices on segmented networks, and monitor for unexpected outbound connections from devices.\n\n\nProof-of-concept\n\nSee Bin4ry’s original disclosure details at Yarbo - NAT in my Back Yard.\n\nTimeline\n\n\n\n2026-March: Initial analysis of the vendor supplied Andorid APK\n\n2026-April: Initial analysis of the vendor supplied robot filesystem\n\n2026-Apr-12 (Sun): Initial outreach to the vendor and AHA!\n\n2026-Apr-29 (Wed): CVE-2026-7413 reserved\n\n2026-Apr-30 (Thu): Demonstrated at AHA! meeting 0x00eb\n\n2026-May-07 (Thu): Public disclosure of CVE-2026-7413\n\n\nCredit\n\nReported by Andreas Makris (aka Bin4ry), demonstrated and disclosed through AHA!.\n\n", "creation_timestamp": "2026-05-07T14:00:00.000000Z"}, {"uuid": "443faa37-89f7-4496-ab87-5de09b0226f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-7414", "type": "seen", "source": "http://takeonme.org/cves/cve-2026-7414/", "content": "CVE-2026-7414: Hardcoded credentials in Yarbo robot firmware v2.3.9\n\nAHA! has discovered an issue affecting Yarbo robot firmware v2.3.9. This disclosure follows AHA!’s standard disclosure policy. Any questions about this disclosure should be directed to cve@takeonme.org.\n\nAffected products\n\n\n\nYarbo robot firmware v2.3.9 (April, 2026)\n\n\nExecutive summary\n\nYarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them.\n\nThis vulnerability is estimated to have a CVSSv31 rating of\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n(9.8, Critical) and the relevant SSVC vectors are Exploitation: PoC and\nTechnical Impact: Total. This issue is an instance of CWE-798.\n\nVulnerability Details\n\nStatic username and password credentials are embedded in configuration files and binaries within the firmware image. These credentials grant administrative access to the device’s SSH and management interfaces. Attempts to change credentials via the device UI are reverted on reboot, as the original values are restored from a read-only firmware partition.\n\nAttacker Value\n\nAn attacker who knows the hardcoded credentials \u2014 which are shared across every device running this firmware \u2014 can immediately authenticate to any affected robot’s management interface without any prior access or exploitation. This is the key that unlocks CVE-2026-7413: the undocumented backdoor SSH service described there accepts these same credentials, providing a root shell to anyone on the internet who reaches the device through the NAT-punching proxy. When combined with CVE-2026-7415, the open MQTT broker can be used to enumerate devices on the network, giving an attacker a target list to attack at scale with these credentials. The result is mass, unauthenticated, persistent compromise of an entire fleet.\n\nMitigation and remediation\n\n\n\nVendor action required: remove hardcoded credentials, introduce unique per-device credentials provisioned at manufacture, and ensure credential changes are persisted correctly across reboots and firmware updates.\n\nTemporary mitigations: restrict SSH and management interface ports via network ACLs, isolate devices on segmented networks, and monitor for unexpected authentication attempts.\n\n\nProof-of-concept\n\nSee Bin4ry’s original disclosure details at Yarbo - NAT in my Back Yard.\n\nTimeline\n\n\n\n2026-March: Initial analysis of the vendor supplied Android APK\n\n2026-April: Initial analysis of the vendor supplied robot filesystem\n\n2026-Apr-12 (Sun): Initial outreach to the vendor and AHA!\n\n2026-Apr-29 (Wed): CVE-2026-7414 reserved\n\n2026-Apr-30 (Thu): Demonstrated at AHA! meeting 0x00eb\n\n2026-May-07 (Thu): Public disclosure of CVE-2026-7414\n\n\nCredit\n\nReported by Andreas Makris (aka Bin4ry), demonstrated and disclosed through AHA!.\n\n", "creation_timestamp": "2026-05-07T14:00:00.000000Z"}, {"uuid": "0f7c35c6-d8c8-4ab4-a9ae-098f05952ab1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-7414", "type": "seen", "source": "http://takeonme.org/cves/cve-2026-7415/", "content": "CVE-2026-7415: Open MQTT orchestration without read/write ACLs in Yarbo robot firmware v2.3.9\n\nAHA! has discovered an issue affecting Yarbo robot firmware v2.3.9. This disclosure follows AHA!’s standard disclosure policy. Any questions about this disclosure should be directed to cve@takeonme.org.\n\nAffected products\n\n\n\nYarbo robot firmware v2.3.9 (April, 2026)\n\n\nExecutive summary\n\nThe MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind.\n\nThis vulnerability is estimated to have a CVSSv31 rating of\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n(9.8, Critical) and the relevant SSVC vectors are Exploitation: PoC and\nTechnical Impact: Total. This issue is an instance of CWE-306.\n\nVulnerability Details\n\nThe MQTT broker ships with anonymous=true and no ACL file configured, meaning any client can connect and freely publish or subscribe to any topic. Orchestration topics expose direct command channels (e.g., movement, configuration) alongside telemetry topics carrying sensor data, location, and operational logs. No further exploit is needed beyond network connectivity to read or inject messages.\n\nAttacker Value\n\nAn attacker on the local network, or reaching the device through the NAT-punching proxy referenced in CVE-2026-7413, can use the open MQTT broker to passively enumerate active robots, read live telemetry, and identify specific devices to target. More critically, they can actively publish commands to control robot actuators or alter configurations, with no credentials required. When chained with CVE-2026-7413 and CVE-2026-7414, this open broker completes a fully unauthenticated attack path: MQTT reveals and enumerates devices, hardcoded credentials provide authenticated management access, and the persistent backdoor delivers a root shell \u2014 all without the attacker needing to perform any exploitation in the traditional sense.\n\nMitigation and remediation\n\n\n\nVendor action required: disable anonymous MQTT access, require client authentication, and enforce topic-level ACLs that restrict publish and subscribe permissions to authorized clients only.\n\nTemporary mitigations: block MQTT ports (default 1883/8883) at network boundaries, place devices on isolated VLANs, and monitor for unexpected MQTT broker connections.\n\n\nProof-of-concept\n\nSee Bin4ry’s original disclosure details at Yarbo - NAT in my Back Yard.\n\nTimeline\n\n\n\n2026-March: Initial analysis of the vendor supplied Android APK\n\n2026-April: Initial analysis of the vendor supplied robot filesystem\n\n2026-Apr-12 (Sun): Initial outreach to the vendor and AHA!\n\n2026-Apr-29 (Wed): CVE-2026-7415 reserved\n\n2026-Apr-30 (Thu): Demonstrated at AHA! meeting 0x00eb\n\n2026-May-07 (Thu): Public disclosure of CVE-2026-7415\n\n\nCredit\n\nReported by Andreas Makris (aka Bin4ry), demonstrated and disclosed through AHA!.\n\n", "creation_timestamp": "2026-05-07T14:00:00.000000Z"}, {"uuid": "f926b2bb-da17-4b71-8fe1-f427c887ace7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-7414", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlbw4wdgng2e", "content": "CVE-2026-7414 - Hardcoded credentials in Yarbo robot firmware\nCVE ID : CVE-2026-7414\n \n Published : May 7, 2026, 5:15 p.m. | 1\u00a0hour, 4\u00a0minutes ago\n \n Description : Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credent...", "creation_timestamp": "2026-05-07T19:09:42.612324Z"}, {"uuid": "a4398482-c4b4-4e06-96a6-01f0314e6d09", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-7414", "type": "seen", "source": "https://bsky.app/profile/postac001.bsky.social/post/3mlbxr4xlo72a", "content": "Yarbo firmware v2.3.9\u306b\u306f\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u7ba1\u7406\u8a8d\u8a3c\u60c5\u5831\u304c\u542b\u307e\u308c\u3001\u5168\u30c7\u30d0\u30a4\u30b9\u3067\u5171\u901a\u304b\u3064\u5909\u66f4\u4e0d\u53ef\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u8a8d\u8a3c\u60c5\u5831\u3092\u77e5\u308b\u3053\u3068\u3067\u30c7\u30d0\u30a4\u30b9\u7ba1\u7406\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30fc\u30b9\u306b\u5bb9\u6613\u306b\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u3055\u2026\nCVE-2026-7414 CVSS 9.8 | CRITICAL", "creation_timestamp": "2026-05-07T19:38:54.484028Z"}]}