CVE-2025-59449

Published: Oct 6, 2025Modified: Nov 26, 2025

4.9

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Exploitability: 1.8 / Impact: 2.7

Source: MITRE (Secondary)

Description

The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacker can exploit this to gain full control over any other YoLink user's devices.

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://bishopfox.com/blog/advisories

Source: cve@mitre.org

https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home

Source: cve@mitre.org

https://shop.yosmart.com/pages/product-support

Source: cve@mitre.org

https://shop.yosmart.com/pages/sa-2025-001

Source: cve@mitre.org

Timeline

No history available yet.