- Description
- The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacker can exploit this to gain full control over any other YoLink user's devices.
- Source
- cve@mitre.org
- NVD status
- Deferred
CVSS 3.1
- Type
- Secondary
- Base score
- 4.9
- Impact score
- 2.7
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- cve@mitre.org
- CWE-863
- Hype score
- Not currently trending
CVE-2025-59449 The YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operat… https://t.co/U6IoaIlxwq
@CVEnew
6 Oct 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical zero-day vulnerabilities found in $20 YoLink Smart Hub v0382 let attackers bypass auth, intercept credentials, control devices. CVE-2025-59449, CVE-2025-59448, CVE-2025-59451, CVE-2025-59452 impact ESP32-based hub. Disconnect affected hubs, isolate IoT devices
@bigmacd16684
3 Oct 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes