Yarbo Firmware v2.3.9 Hardcoded Credentials Vulnerability (CVE-2026-7414) Analysis

Vulnerability Overview CVE ID: CVE-2026-7414 Vulnerability Name: Hardcoded Credentials in Yarbo Robot Firmware v2.3.9 Description: Yarbo firmware v2.3.9 contains hardcoded administrator credentials embedded within the firmware image, which are identical across all devices running this firmware. These credentials cannot be changed or removed by end-users, allowing anyone who knows them to easily access the device's management interface. CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8, Critical) Related SSVC Vectors: Exploitation: PoC and Technical Impact: Total Instance: CVE-799 Impact Scope Affected Products: Yarbo Robot Firmware v2.3.9 (Released April 2026) Specific Impacts: - Static username and password credentials are embedded in configuration files and binaries. - These credentials grant administrative access to the device's SSH and management interfaces. - Attempts to change credentials via the device UI revert to the original values after a reboot, as the original values are restored from a read-only firmware partition. - Attackers can immediately authenticate to the management interface of any affected device using the hardcoded credentials, without requiring prior access or exploitation. - This is a key factor in unlocking CVE-2026-7413 (an undocumented SSH backdoor service), which accepts these same credentials, providing a root shell to any internet user accessing the device via NAT punching proxy. - Combined with CVE-2026-7415 (an open MQTT broker), this allows attackers to enumerate devices on the network, enabling large-scale attacks against a list of targets. Remediation Vendor Actions Required: - Remove hardcoded credentials. - Implement per-device credentials provided during manufacturing, and ensure that credential changes persist correctly across reboots and firmware updates. Temporary Mitigations: - Restrict SSH and management interface ports via network ACLs. - Isolate devices on segmented networks. - Monitor for unexpected authentication attempts. Proof of Concept (POC) Reference Link: Yarbo - NAT in my Back Yard Timeline March 2026: Initial analysis of the vendor-provided Android APK April 2026: Initial analysis of the vendor-provided robot filesystem April 12, 2026 (Sunday): First contact with the vendor and AHA! April 29, 2026 (Wednesday): CVE-2026-7414 reserved April 30, 2026 (Thursday): Demonstrated at AHA! Meeting 0x00eb May 7, 2026 (Thursday): Public disclosure of CVE-2026-7414 Acknowledgments Reporter: Andreas Makris (aka Bin4ry) Demonstration and Disclosure: Via AHA!

Goal Reached Thanks to every supporter — we hit 100%!

Yarbo Firmware v2.3.9 Hardcoded Credentials Vulnerability (CVE-2026-7414) Analysis

More from this source