PatchSiren cyber security CVE debrief
CVE-2026-10557 Yarbo CVE debrief
The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number.
- Vendor
- Yarbo
- Product
- Yarbo Android/IOS mobile application
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Yarbo Android and iOS applications, administrators of Yarbo robot fleets, and anyone concerned with the security of IoT devices.
Technical summary
The CVE-2026-10557 vulnerability has a CVSS score of 9.3 and is classified as CRITICAL. It involves hard-coded credentials in the Yarbo applications, allowing unauthorized access to MQTT brokers and potentially enabling malicious control of robots.
Defensive priority
HIGH
Recommended defensive actions
- Update to the latest version of the Yarbo application if available.
- Use secure methods for storing and managing credentials.
- Monitor robot telemetry and command topics for suspicious activity.
- Consider implementing additional security measures such as two-factor authentication or rate limiting on MQTT broker access.
Evidence notes
CVE-2026-10557 was published on 2026-06-12T15:16:24.523Z and modified on 2026-06-12T16:06:47.720Z. The vulnerability is tracked by the ICS-CERT and has references to CSAF and CISA advisories.
Official resources
CVE-2026-10557 was published on 2026-06-12T15:16:24.523Z and modified on 2026-06-12T16:06:47.720Z.