CVE-2025-59449 MEDIUM

CVE-2025-59449

Vendor Yosmart

Product YoLink MQTT broker

Weakness CWE-863 · Incorrect authorization

Published October 6, 2025

Last update November 26, 2025

View on NVD All CVEs

CVSS base score

4.9/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacker can exploit this to gain full control over any other YoLink user's devices.

Key dates

02Disclosure timeline

October 6, 2025 CVE published

November 26, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-59449

Related vulnerabilities

04Related CVE

CVE-2024-27312 Authorization vulnerability in PAM360 CVE-2026-48507 Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users CVE-2025-11239 Job details are visible to all team members on KNIME Business Hub CVE-2023-3979 Incorrect Authorization in GitLab CVE-2023-3459 Export and Import Users and Customers <= 2.4.1 - Missing Authorization to Authenticated (Shop Manager) Arbitrary User Password Change