Thousands of Yarbo robotic lawnmowers are exposed to remote compromise due to the use of identical default administrator passwords, allowing attackers to access sensitive data, hijack the devices, and potentially weaponize them. The article does not provide specific CVE identifiers or version information for this flaw. While Yarbo has implemented fixes including disabling remote diagnostic tunnels and resetting passwords, concerns persist regarding retained manufacturer remote access capabilities.
IoT Thousands of Yarbo robotic lawnmowers exposed with identical default passwords May 18, 2026 Share By SC Staff (Adobe Stock) Thousands of Yarbo robotic lawnmowers worldwide have been found to have a critical security flaw, allowing remote access through identical default administrator credentials, based on information published by Tech Radar. Security researcher Andreas Makris discovered that Yarbo robotic lawnmowers, which operate in over 30 countries and are equipped with cameras, GPS, and AI mapping, used the same default passwords. This vulnerability allowed Makris to access owner email addresses, Wi-Fi passwords, and precise GPS locations, even demonstrating the ability to remotely hijack a 200-pound mower. The Linux-based devices, functioning like internet-connected computers, could theoretically be weaponized by hackers to activate blades, scan networks, or form botnets. The risk is amplified for mowers located near critical infrastructure, such as power plants. Yarbo, with ties to China and a New York headquarters, has acknowledged the flaws and implemented fixes including disabling remote diagnostic tunnels and resetting passwords. However, concerns remain about the retention of manufacturer remote access, which critics describe as a backdoor, based on information published by Tech Radar. Source: Tech Radar SC Staff Related Vulnerability Management Remote building compromise likely with EnOcean SmartServer bugs SC Staff May 1, 2026 SecurityWeek reports that vulnerable internet-exposed EnOcean SmartServer IoT platform instances impacted by the security bypass flaw, tracked as CVE-2026-22885, and the remote code execution issue, tracked as CVE-2026-20761, could be targeted to remotely compromise smart buildings, data centers, and factories. Critical Infrastructure Security Drones pose evolving security risks for public gatherings SC Staff May 1, 2026 A report from the Center for Internet Security highlights that drones introduce novel risks that traditional security measures are ill-equipped to handle. IoT Vulnerabilities found in Zero Motorcycles and Yadea scooters SC Staff April 29, 2026 US-based Zero Motorcycles is affected by a medium severity vulnerability (CVE-2026-1354) in firmware version 44 and earlier. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe You can skip this ad in 5 seconds