Yarbo’s Android and iOS apps embed the same MQTT broker password, and its cloud broker lacks per‑device checks.
The CISA advisory lists two critical flaws: CVE‑2026‑10557 hard‑codes broker credentials that anyone can extract from the app binary, and CVE‑2026‑7368 allows any holder of those credentials to subscribe to all telemetry or publish commands to any robot by serial number. Both affect versions prior to 3.17.4 and score 9.8 and 8.1 on the CVSS scale. Yarbo says updating to 3.17.4 and a May‑2026 server patch will enforce authorization, with no user action required beyond installing the app update.
This matters because Yarbo’s robots are deployed in commercial facilities worldwide, meaning a single compromised key could hijack an entire fleet’s operations. The flaw highlights how default credentials and missing access controls remain easy entry points in industrial IoT, even for high‑profile vendors.
Bottom line: install the app update immediately and isolate any control‑system traffic behind firewalls. Treat the advisory as a reminder that shared secrets are a liability, not a convenience.