guidance United States effective 9/10
Government · Cybersecurity and Infrastructure Security Agency

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding critical vulnerabilities (CVSS 9.8) in Yarbo's mobile application and cloud infrastructure that control its global robot fleet. These flaws involve hard-coded credentials and missing authorization, enabling attackers to gain fleet-wide access, monitor telemetry, and send operational commands. CISA recommends users update the Yarbo app to version 3.17.4 or later and implement defensive cybersecurity measures, while Yarbo is deploying server-side authorization fixes. The enforcement risk score is low (25) as CISA is issuing an advisory rather than an enforcement action.

Effective date

2026-06-11

Action required

Organizations using Yarbo robot systems must update their mobile applications to version 3.17.4 or later and ensure Yarbo's server-side authorization updates, deployed by May 2026, are active. Additionally, implement robust cybersecurity practices like network segmentation, firewalls, and secure remote access for all connected control systems.

Binding status

advisory

Governing body

Cybersecurity and Infrastructure Security Agency

Direction

clarifying

Innovation impact

neutral

AI technologies

autonomous vehiclesrobotic process automationai agents

Affected industries

technologymanufacturingcommercial facilitiesall

Affected roles

cisoctorisk managercompliance officer

Cross-references

Cites standards

CVSS v3.1, CVSS v4.0, CWE-798 Use of Hard-coded Credentials, CWE-862 Missing Authorization

"Successful exploitation of these vulnerabilities could allow an attacker to obtain hard-coded credentials, gain access to telemetry data, and potentially send operational commands to the robot fleet."

Enriched 2026-06-11

Stay informed

Get daily intelligence briefs on this and related regulatory developments.

Start 14-day trial