PT-2025-40946 · Yosmart · Yolink Mqtt Broker
Nicholas Cerne
+1
·
Published
2025-10-06
·
Updated
2025-10-07
·
CVE-2025-59449
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
YoSmart YoLink MQTT broker versions through 2025-10-02
Description
The YoLink MQTT broker does not adequately enforce authorization controls, which can lead to cross-account attacks. An attacker who obtains device IDs can remotely operate devices belonging to other users. The predictability of YoLink device IDs facilitates exploitation, potentially granting full control over other users' devices.
Recommendations
Update to a version beyond 2025-10-02.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Yolink Mqtt Broker