CVE-2025-59451 YoSmart CVE debrief

Who should care

YoSmart YoLink Smart Hub users, administrators, and teams that rely on the platform in managed or operational environments should be aware of the advisory and confirm account/session hygiene.

Technical summary

The source advisory describes a session management weakness affecting YoSmart YoLink components, including YoLink Smart Hub and the YoLink mobile application, where session tokens persisted longer than intended through 2025-10-02. The supplied CVSS 3.1 vector is AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N, which aligns with a network-reachable issue requiring some privileges and resulting in limited integrity impact rather than confidentiality or availability impact. CISA’s remediation note says YoSmart resolved the vulnerabilities on the server backend, so the fix is not dependent on end-user patching.

Defensive priority

Low. Track the advisory for confirmation that sessions behave normally, but no user-side remediation is required per YoSmart/CISA.

Recommended defensive actions

• Treat the issue as already remediated on the vendor backend; no direct user patch action is required.
• If you administer shared or sensitive accounts, review session and account-access practices to ensure old sessions are not unnecessarily trusted.
• Follow standard CISA ICS recommended practices for defensive account hygiene and access control.
• Monitor the official YoSmart security advisory for any follow-up guidance or clarification.

Evidence notes

The facts in this brief come from the CISA CSAF advisory ICSA-26-013-03 and the linked CVE record. The advisory description states that the YoSmart YoLink application through 2025-10-02 had session tokens with unexpectedly long lifetimes, and the remediation section states the vulnerabilities were resolved on the server backend with no user action required. The CVE is publicly dated 2026-01-13; that date is used here for disclosure context.

Official resources