Description

The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacker can exploit this to gain full control over any other YoLink user's devices.

INFO

Published Date :

2025-10-06T00:00:00.000Z

Last Modified :

2025-11-26T15:20:01.433Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59449 vulnerability.

Vendors Products
Yosmart
  • Yolink Mqtt Broker
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59449.

URL Resource
https://bishopfox.com/blog/advisories cve-icon cve-icon
https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home cve-icon cve-icon
https://shop.yosmart.com/pages/product-support cve-icon cve-icon
https://shop.yosmart.com/pages/sa-2025-001 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact