CVE-2025-59451

Published Oct 6, 2025

Last updated 9 days ago

CVSS low 3.5
ICS

Overview

Description
The YoSmart YoLink application through 2025-10-02 has session tokens with unexpectedly long lifetimes.
Source
cve@mitre.org
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
3.5
Impact score
1.4
Exploitability score
1.8
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Severity
LOW

Weaknesses

cve@mitre.org
CWE-863

Social media

Hype score
Not currently trending

  1. CVE-2025-59451 The YoSmart YoLink application through 2025-10-02 has session tokens with unexpectedly long lifetimes. https://t.co/uhvZvIFzZW

    @CVEnew

    6 Oct 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Critical zero-day vulnerabilities found in $20 YoLink Smart Hub v0382 let attackers bypass auth, intercept credentials, control devices. CVE-2025-59449, CVE-2025-59448, CVE-2025-59451, CVE-2025-59452 impact ESP32-based hub. Disconnect affected hubs, isolate IoT devices

    @bigmacd16684

    3 Oct 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. CVE-2024-10085
  2. OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.CVE-2026-35063
  3. A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory.CVE-2026-22885
  4. A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device.CVE-2026-20761
  5. An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication.CVE-2026-24789

References

Sources include official advisories and independent security research.