The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding critical vulnerabilities (CVSS 9.8) in Yarbo's mobile application and cloud infrastructure that control its global robot fleet. These flaws involve hard-coded credentials and missing authorization, enabling attackers to gain fleet-wide access, monitor telemetry, and send operational commands. CISA recommends users update the Yarbo app to version 3.17.4 or later and implement defensive cybersecurity measures, while Yarbo is deploying server-side authorization fixes. The enforcement risk score is low (25) as CISA is issuing an advisory rather than an enforcement action.
Effective date
2026-06-11
Action required
Organizations using Yarbo robot systems must update their mobile applications to version 3.17.4 or later and ensure Yarbo's server-side authorization updates, deployed by May 2026, are active. Additionally, implement robust cybersecurity practices like network segmentation, firewalls, and secure remote access for all connected control systems.
Binding status
advisory
Governing body
Cybersecurity and Infrastructure Security Agency
Direction
clarifying
Innovation impact
neutral
AI technologies
Affected industries
Affected roles
Cross-references
Cites standards
CVSS v3.1, CVSS v4.0, CWE-798 Use of Hard-coded Credentials, CWE-862 Missing Authorization
"Successful exploitation of these vulnerabilities could allow an attacker to obtain hard-coded credentials, gain access to telemetry data, and potentially send operational commands to the robot fleet."
Enriched 2026-06-11
Stay informed
Get daily intelligence briefs on this and related regulatory developments.