Description
Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them.
Published: 2026-05-07
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Yarbo firmware v2.3.9 embeds a set of hard‑coded administrative credentials that are identical on every device and cannot be altered by users. This flaw allows an attacker who knows the default login to reach the device’s management interface and perform any privileged operation, from modifying configuration and routing to executing arbitrary system commands. The result is a complete compromise of the device’s confidentiality, integrity, and availability, and it can affect the network segments in which the robot operates.

Affected Systems

All Yarbo devices running firmware version 2.3.9 are affected. No other firmware releases or product lines have been identified as impacted.

Risk and Exploitability

The vulnerability’s CVSS score of 9.8 marks it as critical. The EPSS score is not available, but the ease of exploitation is high because the credentials are trivial and universal. Although the vulnerability is not listed in the CISA KEV catalog, it permits attackers with physical or remote network proximity to gain full control of the device, potentially disrupting connected systems and services.

Generated by OpenCVE AI on May 7, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a firmware version that removes hard‑coded credentials. The vendor fix addresses CWE‑798 by allowing credential configuration or deletion.
  • If no update is available, flash custom firmware that implements credential management and eliminates default credentials, mitigating the CWE‑798 weakness.
  • Restrict access to the device management interface via network segmentation or firewall rules, ensuring only trusted management hosts can connect, thereby reducing the exploitation surface of the CWE‑798 flaw.

Generated by OpenCVE AI on May 7, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Yarbo
Yarbo firmware
Vendors & Products Yarbo
Yarbo firmware

Thu, 07 May 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them.
Title Hardcoded credentials in Yarbo robot firmware
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Yarbo Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: AHA

Published:

Updated: 2026-05-07T17:01:37.949Z

Reserved: 2026-04-29T13:55:09.542Z

Link: CVE-2026-7414

cve-icon Vulnrichment

Updated: 2026-05-07T17:01:01.487Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T17:15:59.460

Modified: 2026-05-07T18:46:25.867

Link: CVE-2026-7414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:24:37Z

Weaknesses