Summary
Successful exploitation of these vulnerabilities could allow an attacker to remotely control other users’ smart home devices, intercept sensitive data, and hijack sessions.
The following versions of YoSmart YoLink Smart Hub are affected:
- YoSmart server (CVE-2025-59449, CVE-2025-59451)
- YoLink Smart Hub (CVE-2025-59452)
- YoLink Mobile Appication (CVE-2025-59448)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 5.8 | YoSmart | YoSmart YoLink Smart Hub | Incorrect Authorization, Generation of Predictable Numbers or Identifiers, Cleartext Transmission of Sensitive Information |
Background
- Critical Infrastructure Sectors: Communications
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: United States
Vulnerabilities
CVE-2025-59449
The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacker can exploit this to gain full control over any other YoLink user’s devices.
Affected Products
YoSmart YoLink Smart Hub
YoSmart
YoSmart server: vers:all/*
known_affected
Remediations
Mitigation
YoSmart recommends that users t
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: