Nick

**Name of the Vulnerable Software and Affected Versions** YoSmart YoLink MQTT broker versions through 2025-10-02 **Description** The YoLink MQTT broker does not adequately enforce authorization controls, which can lead to cross-account attacks. An attacker who obtains device IDs can remotely operate devices belonging to other users. The predictability of YoLink device IDs facilitates exploitation, potentially granting full control over other users' devices. **Recommendations** Update to a version beyond 2025-10-02.

**Name of the Vulnerable Software and Affected Versions** YoSmart YoLink Smart Hub firmware version 0382 **Description** The YoSmart YoLink Smart Hub firmware version 0382 is unencrypted. Data extracted from the device can be used to determine network access credentials. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** YoSmart YoLink application versions through 2025-10-02 **Description** The YoSmart YoLink application has session tokens with unexpectedly long lifetimes. **Recommendations** Update to a version later than 2025-10-02. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** YoSmart YoLink versions through 2025-10-02 **Description** The YoSmart YoLink API constructs an endpoint URL using a device's MAC address and an MD5 hash of non-secret information, including a key starting with `cf50`. The API endpoint is derived from this information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.