CVE-2025-59449
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-10-06
Last updated on: 2025-11-26
Assigner: MITRE
Description
Description
The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacker can exploit this to gain full control over any other YoLink user's devices.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yosmart | yolink_smart_hub | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the YoSmart YoLink MQTT broker allows attackers to remotely control devices belonging to other users by exploiting insufficient authorization controls. Since device IDs are predictable, an attacker who obtains these IDs can perform cross-account attacks and gain full control over affected devices.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to remotely operate your YoLink devices without your permission, potentially leading to unauthorized control and misuse of your smart devices.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70