YoSmart YoLink Smart Hub
Published:
13 January 2026 at 12:00:00
Alert date:
13 January 2026 at 19:02:07
Source:
cisa.gov
Mobile & IoT, Critical Infrastructure
Multiple critical vulnerabilities discovered in YoSmart YoLink Smart Hub ecosystem allowing remote control of other users' smart home devices, session hijacking, and data interception. Four CVEs affect different components: CVE-2025-59449 enables cross-account attacks due to insufficient authorization controls, CVE-2025-59452 uses predictable endpoint URLs derived from MAC addresses, CVE-2025-59448 transmits sensitive data over unencrypted MQTT, and CVE-2025-59451 involves session tokens with excessively long lifetimes. The vulnerabilities could allow attackers to gain full control over any YoLink user's devices worldwide. YoSmart has released patches and automatic updates to address these issues.
Technical details
Mitigation steps:
Affected products:
YoSmart YoLink Smart Hub
YoLink Mobile Application
YoSmart server
Related links:
https://www.cisa.gov/news-events/ics-advisories/icsa-26-013-03
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-013-03.json
https://www.cve.org/CVERecord?id=CVE-2025-59449
https://www.cve.org/CVERecord?id=CVE-2025-59452
https://www.cve.org/CVERecord?id=CVE-2025-59448
https://www.cve.org/CVERecord?id=CVE-2025-59451
https://cwe.mitre.org/data/definitions/863.html
https://cwe.mitre.org/data/definitions/340.html
https://cwe.mitre.org/data/definitions/319.html
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.