Executive Summary

CVE-2026-7413 is a hidden, persistent backdoor found in Yarbo firmware version 2.3.9 used in autonomous lawn mowers and snow blowers. This backdoor provides remote, unauthenticated or weakly authenticated access to privileged functions by establishing a permanent outbound SSH tunnel to a Yarbo-controlled server. The SSH service allows root login with a hardcoded password that resets on every deployment cycle, ensuring persistent access. The backdoor cannot be disabled by users, survives factory resets and firmware updates, and exposes sensitive device features such as live camera feeds and Wi-Fi credentials.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to gain root access to affected Yarbo devices remotely without proper authentication. With this access, attackers can view live camera feeds, steal Wi-Fi credentials, and use the compromised device as a foothold to pivot into home or government networks. Approximately 6,000 devices are affected, posing significant risks of unauthorized surveillance, data theft, and network intrusion.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for an active outbound tunnel from the affected device to the Yarbo-controlled server (98.82.87.76) using the FRP (Fast Reverse Proxy) client. The SSH service is exposed through this tunnel with PermitRootLogin enabled, allowing root access with a hardcoded password.

You can look for network connections to the IP addresses 98.82.87.76 or 121.41.35.110, which are associated with the backdoor's FRP servers.

Suggested commands to detect the backdoor include:

• On the device, run `netstat -an | grep 98.82.87.76` or `netstat -an | grep 121.41.35.110` to check for active connections to the backdoor servers.
• Use `ps aux | grep frp` to identify if the FRP client process is running.
• Attempt to SSH into the device using the robot's serial number as username and the hardcoded password `hy@0886!#` to verify if root access is possible.
• Inspect the FRP configuration file for the presence of an authentication token starting with `hy18129`.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps are limited due to the backdoor being a deliberate design choice that cannot be disabled via user-facing settings and survives factory resets and firmware updates.

However, you can take the following actions:

• Disconnect the affected device from the network to prevent remote access through the backdoor.
• Monitor network traffic for connections to the known backdoor servers (98.82.87.76 and 121.41.35.110) and block these IP addresses at your firewall.
• Change any Wi-Fi credentials or other sensitive information that might have been exposed through the compromised device.
• Consider replacing the affected device with a model that does not contain this backdoor.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability introduces a persistent, hidden backdoor that allows remote, unauthenticated root access to devices, exposing sensitive data such as live camera feeds and Wi-Fi credentials. This unauthorized access and data exposure could lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information.

Because the backdoor cannot be disabled by users and survives factory resets and firmware updates, affected devices lack adequate security controls and user consent mechanisms, further undermining compliance with standards requiring secure device management and user privacy.

Additionally, the ability for attackers to pivot into home or government networks via compromised devices increases the risk of broader data breaches, which could trigger regulatory reporting requirements and penalties under these standards.

Useful 0 Not Useful 0