PatchSiren cyber security CVE debrief
CVE-2025-59449 YoSmart CVE debrief
CVE-2025-59449 affects YoSmart YoLink Smart Hub-related services and was publicly disclosed by CISA on 2026-01-13 in ICSA-26-013-03. The advisory says the YoSmart YoLink MQTT broker through 2025-10-02 did not enforce sufficient authorization controls to prevent cross-account attacks. If an attacker obtains associated device IDs, they may be able to remotely operate affected devices. CISA’s published material also notes that YoLink device IDs are predictable, which increases the practical risk of unauthorized cross-account control. YoSmart states the issue was resolved on the server backend and that no user actions are required.
- Vendor
- YoSmart
- Product
- YoLink Smart Hub
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-13
- Original CVE updated
- 2026-01-13
- Advisory published
- 2026-01-13
- Advisory updated
- 2026-01-13
Who should care
YoLink Smart Hub owners, YoLink account holders, OT/IoT administrators, home automation users, and anyone integrating YoLink devices into broader control systems should care. This is especially relevant for environments where device integrity and remote control of actuators matter.
Technical summary
The issue is an authorization failure in the YoSmart YoLink MQTT broker. According to the CISA CSAF advisory, insufficient authorization controls could allow cross-account attacks if an attacker knows the associated device IDs. The advisory further states that YoLink device IDs are predictable, making it easier for an attacker to target another user’s devices. The CVSS vector provided by CISA indicates network-based exploitation with low privileges and no user interaction, and a scope change due to the cross-account impact.
Defensive priority
Medium urgency, with prompt validation recommended because the impact can include unauthorized remote control of devices despite the medium CVSS score.
Recommended defensive actions
- Review the CISA advisory and the YoSmart security advisory for the latest remediation status.
- Confirm your YoLink devices and hubs are operating normally and look for any unexpected remote actions or account-linked changes.
- If you manage multiple YoLink accounts or shared environments, verify account ownership and access controls for all devices.
- Monitor for unusual device commands or cross-account control attempts and report anomalies to YoSmart support.
- Keep records of device IDs, account ownership, and device-to-account mappings so abnormal access is easier to detect.
Evidence notes
All substantive claims here come from the supplied CISA CSAF source item and its listed references. The advisory text states the YoSmart YoLink MQTT broker lacked sufficient authorization controls through 2025-10-02, that predictable device IDs could enable cross-account device control, and that YoSmart resolved the issue on the server backend with no user action required. No KEV entry was provided for this CVE.
Official resources
-
CVE-2025-59449 CVE record
CVE.org
-
CVE-2025-59449 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-01-13 in advisory ICSA-26-013-03; the supplied advisory records initial publication on that date and does not list the issue in KEV.