CVE-2025-59448 YoSmart CVE debrief

Who should care

Operators and administrators of YoSmart YoLink Smart Hub deployments, especially environments using YoLink Mobile Application 1.40.41 or the YoLink MQTT Broker, and teams responsible for network monitoring, segmentation, or IoT/OT device management.

Technical summary

The advisory describes cleartext MQTT traffic in the YoSmart YoLink ecosystem through 2025-10-02. Because MQTT messages are not encrypted in transit, a capable network observer may learn sensitive information or alter messages to influence affected devices. CISA's supplied CVSS vector is CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N with a MEDIUM score of 4.7.

Defensive priority

Medium priority. The issue is not listed in KEV, but it can expose sensitive data and enable device tampering, so patching and exposure reduction should be scheduled promptly.

Recommended defensive actions

• Update YoLink Mobile Application and YoLink MQTT Broker to version 1.40.45 or later, as recommended by YoSmart.
• Inventory YoSmart YoLink components and confirm which systems are at or below version 1.40.41.
• Restrict who can observe or reach MQTT-related traffic, and reduce exposure through network segmentation where feasible.
• Monitor for unexpected device state changes or MQTT anomalies that could indicate tampering.
• Review the CISA advisory and YoSmart security advisory for any vendor-specific mitigation guidance.

Evidence notes

Based on CISA CSAF advisory ICSA-26-013-03 and its referenced YoSmart security advisory. The source states the issue affects YoLink Mobile Application 1.40.41 and YoLink MQTT Broker, recommends updating to 1.40.45 or later, and describes unencrypted MQTT communications through 2025-10-02. Timing in this debrief is taken from the advisory's 2026-01-13 publication date.

Official resources