PatchSiren cyber security CVE debrief
CVE-2025-59452 YoSmart CVE debrief
CVE-2025-59452 is a YoSmart YoLink Smart Hub/API issue disclosed by CISA on 2026-01-13. The advisory says the YoLink API through 2025-10-02 used an endpoint URL derived from a device MAC address together with an MD5 hash of non-secret information, including a key that begins with cf50. YoSmart states update 0383 supports a new dynamic authentication algorithm and will be delivered automatically over the air. The supplied CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N, indicating network reachability with limited confidentiality impact.
- Vendor
- YoSmart
- Product
- YoLink Smart Hub
- CVSS
- MEDIUM 5.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-13
- Original CVE updated
- 2026-01-13
- Advisory published
- 2026-01-13
- Advisory updated
- 2026-01-13
Who should care
YoSmart YoLink Smart Hub owners, operators managing YoSmart server or YoLink mobile app integrations, and defenders responsible for consumer or edge IoT exposure should review this advisory. Any environment that relies on the affected API behavior before the update should confirm the automatic update path and monitor for device or account anomalies.
Technical summary
The issue described in the advisory is a weak endpoint-derivation design rather than a memory-corruption flaw. The API endpoint URL was computed from a device MAC address plus an MD5 hash of non-secret data, which can make a service endpoint more predictable than intended. CISA lists the impact as low confidentiality with no integrity or availability impact in the supplied CVSS vector. YoSmart's remediation is update 0383, described as an automatic OTA release that introduces a new dynamic authentication algorithm.
Defensive priority
Medium. The advisory is public and network-reachable, but the supplied CVSS score is moderate and the vendor indicates an automatic fix path. Priority should be to verify devices are receiving update 0383 and to review any integrations that depend on YoLink API access.
Recommended defensive actions
- Confirm YoLink Smart Hub devices are eligible for and actually receiving automatic OTA update 0383.
- Inventory any systems, scripts, or integrations that call YoSmart or YoLink APIs and review them for dependence on predictable endpoint behavior.
- Monitor for unexpected API failures or changes after the authentication update and validate business-critical automations.
- Use the CISA advisory and YoSmart security advisory as the authoritative sources for remediation status and product scope.
Evidence notes
CISA's CSAF advisory ICSA-26-013-03 states the issue affected the YoSmart YoLink API through 2025-10-02 and describes the endpoint URL as derived from a device MAC address plus an MD5 hash of non-secret information, including a key beginning with cf50. The same source says YoSmart released update 0383 to support a new dynamic authentication algorithm and that it will be pushed automatically over the air.
Official resources
-
CVE-2025-59452 CVE record
CVE.org
-
CVE-2025-59452 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICS Advisory ICSA-26-013-03 on 2026-01-13, which is also the CVE published and modified date supplied here. The source corpus does not describe exploitation in the wild or a KEV listing.