View CSAF
Summary
Successful exploitation of these vulnerabilities could allow an attacker to remotely control other users’ smart home devices, intercept sensitive data, and hijack sessions.
The following versions of YoSmart YoLink Smart Hub are affected:
- YoSmart server (CVE-2025-59449, CVE-2025-59451)
- YoLink Smart Hub (CVE-2025-59452)
- YoLink Mobile Appication (CVE-2025-59448)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 5.8 | YoSmart | YoSmart YoLink Smart Hub | Incorrect Authorization, Generation of Predictable Numbers or Identifiers, Cleartext Transmission of Sensitive Information |
Background
- Critical Infrastructure Sectors: Communications
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: United States
Vulnerabilities
Expand All +
CVE-2025-59449
The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacker can exploit this to gain full control over any other YoLink user’s devices.
View CVE Details
Affected Products
YoSmart YoLink Smart Hub
YoSmart
YoSmart server: vers:all/*
known_affected
Remediations
Mitigation
YoSmart recommends that users take the following actions to mitigate these vulnerabilities:
Mitigation
CVE-2025-59449 & CVE-2025-59451 – YoSmart’s engineering team resolved these vulnerabilities on the server backend. No user actions are required
Mitigation
For more information visit the YoSmart Security Advisory.
Relevant CWE: CWE-863 Incorrect Authorization
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N |
CVE-2025-59452
The YoSmart YoLink API through 2025-10-02 uses an endpoint URL that is derived from a device’s MAC address along with an MD5 hash of non-secret information, such as a key that begins with cf50.
View CVE Details
Affected Products
YoSmart YoLink Smart Hub
YoSmart
YoSmart YoLink Smart Hub: 0382
known_affected
Remediations
Mitigation
YoSmart recommends that users take the following actions to mitigate these vulnerabilities:
Mitigation
CVE-2025-59452 – YoSmart released update 0383 to support a new, dynamic authentication algorithm. This will be released as an automatic over-the-air update and no user action is required.
Mitigation
For more information visit the YoSmart Security Advisory.
Relevant CWE: CWE-340 Generation of Predictable Numbers or Identifiers
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.8 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
CVE-2025-59448
Components of the YoSmart YoLink ecosystem through 2025-10-02 leverage unencrypted MQTT to communicate over the internet. An attacker with the ability to monitor network traffic could therefore obtain sensitive information or tamper with the traffic to control affected devices. This affects YoLink Mobile Application 1.40.41 and YoLink MQTT Broker.
View CVE Details
Affected Products
YoSmart YoLink Smart Hub
YoSmart
YoSmart YoLink Mobile Appication: <v1.40.45
known_affected
Remediations
Mitigation
YoSmart recommends that users take the following actions to mitigate these vulnerabilities:
Mitigation
CVE-2025-59448 – YoSmart recommends that users update to version 1.40.45 or later to mitigate this vulnerability.
Mitigation
For more information visit the YoSmart Security Advisory.
Relevant CWE: CWE-319 Cleartext Transmission of Sensitive Information
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.7 | MEDIUM | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N |
CVE-2025-59451
The YoSmart YoLink application through 2025-10-02 has session tokens with unexpectedly long lifetimes.
View CVE Details
Affected Products
YoSmart YoLink Smart Hub
YoSmart
YoSmart server: vers:all/*
known_affected
Remediations
Mitigation
YoSmart recommends that users take the following actions to mitigate these vulnerabilities:
Mitigation
CVE-2025-59449 & CVE-2025-59451 – YoSmart’s engineering team resolved these vulnerabilities on the server backend. No user actions are required
Mitigation
For more information visit the YoSmart Security Advisory.
Relevant CWE: CWE-863 Incorrect Authorization
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 3.5 | LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N |
Acknowledgments
- Nick Cerne of Bishop Fox reported these vulnerabilities to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
Revision History
- Initial Release Date: 2026-01-13
| Date | Revision | Summary |
|---|---|---|
| 2026-01-13 | 1 | Initial Publication |