CVE-2025-59449
📋 TL;DR
The YoSmart YoLink MQTT broker has insufficient authorization controls that allow cross-account attacks. Attackers can remotely operate any YoLink user's devices by obtaining predictable device IDs. All users of YoLink devices with the vulnerable MQTT broker are affected.
💻 Affected Systems
- YoSmart YoLink MQTT broker
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full remote control over all YoLink devices in any user's home, enabling unauthorized access, surveillance, or physical manipulation of smart locks, cameras, and other IoT devices.
Likely Case
Attackers compromise random YoLink devices to cause nuisance disruptions, unauthorized access to non-critical functions, or reconnaissance for further attacks.
If Mitigated
With proper network segmentation and monitoring, impact is limited to isolated IoT network segments with no access to critical systems.
🎯 Exploit Status
Exploitation requires obtaining device IDs, which are predictable. Public research demonstrates practical attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2025-10-02
Vendor Advisory: https://shop.yosmart.com/pages/sa-2025-001
Restart Required: Yes
Instructions:
1. Update YoLink MQTT broker to latest version. 2. Update all YoLink device firmware. 3. Restart all affected devices. 4. Verify authorization controls are functioning.
🔧 Temporary Workarounds
Network Segmentation
allIsolate YoLink devices on separate VLAN with strict firewall rules
MQTT Broker Access Control
allImplement strict MQTT topic authorization and client authentication
🧯 If You Can't Patch
- Disconnect YoLink devices from internet and use local-only mode
- Replace YoLink devices with alternative IoT solutions
🔍 How to Verify
Check if Vulnerable:
Check YoLink MQTT broker version - if before 2025-10-03, it's vulnerable. Test authorization by attempting cross-account device control.Check Version:
Check YoLink app or device management interface for broker versionVerify Fix Applied:
Verify broker version is after 2025-10-02 and test that cross-account device control attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthorized MQTT publish/subscribe attempts
- Cross-account device access patterns
- Failed authorization events
Network Indicators:
- MQTT traffic to unexpected device IDs
- Unusual command patterns to IoT devices
- Traffic from unauthorized sources to YoLink broker
SIEM Query:
source="yosmart*" AND (event_type="authorization_failure" OR device_id NOT IN allowed_devices)