---
title: "YoLink Smart Hub Flaws Expose Smart Homes to Remote Attacks"
short_title: "YoLink Smart Hub vulnerabilities expose users to hacking"
description: "Critical vulnerabilities in YoSmart YoLink Smart Hub allow remote device control, data interception, and session hijacking. Learn how to stay protected."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [yolink, smart home, cve-2025, iot security, cybersecurity]
score: 0.78
cve_ids: [CVE-2025-59448, CVE-2025-59449, CVE-2025-59451, CVE-2025-59452]
---
TL;DR
Four critical vulnerabilities in the YoSmart YoLink Smart Hub and its ecosystem have been discovered, enabling attackers to remotely control smart home devices, intercept sensitive data, and hijack user sessions. While patches have been deployed for most flaws, users are urged to update their mobile apps and firmware to mitigate risks.
---
Main Content
Introduction
Smart home devices are increasingly becoming targets for cybercriminals due to their widespread adoption and often inadequate security measures. The YoSmart YoLink Smart Hub, a popular choice for managing smart home ecosystems, has been found to contain four critical vulnerabilities that could expose users to remote attacks. These flaws, if exploited, allow threat actors to take control of devices, intercept communications, and hijack sessions—putting sensitive data and physical security at risk.
---
Key Points
- Four vulnerabilities (CVE-2025-59448, CVE-2025-59449, CVE-2025-59451, CVE-2025-59452) affect the YoLink Smart Hub, mobile app, and backend servers.
- Exploitation risks include remote device control, data interception, and session hijacking.
- Predictable device IDs and unencrypted communications are among the primary weaknesses.
- Patches have been released for most vulnerabilities, but users must update their apps and firmware to stay protected.
- No known exploitation has been reported yet, but the potential impact is severe.
---
Technical Details
#### 1. CVE-2025-59449: Incorrect Authorization in MQTT Broker
The YoLink MQTT broker fails to enforce proper authorization controls, allowing attackers to perform cross-account attacks. By obtaining predictable device IDs, threat actors can gain full control over any YoLink user's devices. This vulnerability affects the YoSmart server and has a CVSS score of 4.9 (Medium).
#### 2. CVE-2025-59452: Predictable API Endpoint URLs
The YoLink API uses endpoint URLs derived from MAC addresses and MD5 hashes of non-secret information. This predictability enables attackers to guess or brute-force URLs, potentially accessing sensitive data or executing unauthorized commands. The flaw affects YoLink Smart Hub firmware version 0382 and has a CVSS score of 5.8 (Medium).
#### 3. CVE-2025-59448: Cleartext Transmission of Sensitive Data
Components of the YoLink ecosystem, including the mobile app (versions before 1.40.45) and MQTT broker, communicate over unencrypted channels. This allows attackers with network access to intercept sensitive data or manipulate device commands. The vulnerability has a CVSS score of 4.7 (Medium).
#### 4. CVE-2025-59451: Overly Permissive Session Tokens
The YoLink application issues session tokens with excessively long lifetimes, increasing the risk of session hijacking. This flaw affects the YoSmart server and has a CVSS score of 3.5 (Low).
---
Impact Assessment
The vulnerabilities pose significant risks to users of the YoLink Smart Hub ecosystem:
- Remote Device Control: Attackers can manipulate smart home devices, such as locks, cameras, and sensors, potentially compromising physical security.
- Data Interception: Unencrypted communications enable eavesdropping on sensitive information, including device statuses and user credentials.
- Session Hijacking: Prolonged session token validity increases the likelihood of unauthorized access to user accounts.
- Cross-Account Attacks: Predictable device IDs and weak authorization controls allow attackers to target any YoLink user, not just those on the same network.
While no active exploitation has been reported, the widespread deployment of YoLink devices makes this a high-priority issue for users and organizations relying on smart home technologies.
---
Mitigation Steps
YoSmart has addressed most of these vulnerabilities through server-side patches and firmware updates. Users are advised to take the following actions:
1. Update the YoLink Mobile App: Ensure the app is updated to version 1.40.45 or later to mitigate CVE-2025-59448.
2. Apply Firmware Updates: The YoLink Smart Hub firmware update (version 0383) resolves CVE-2025-59452. This update is deployed automatically via over-the-air (OTA) updates.
3. Monitor Network Traffic: Use firewalls and network monitoring tools to detect unusual activity.
4. Isolate Smart Home Devices: Place smart home devices on a separate network to limit exposure to potential attacks.
5. Enable Encryption: Use VPNs or other encrypted communication methods when accessing smart home devices remotely.
---
Affected Systems
The following YoLink products and versions are affected by these vulnerabilities:
| Product | Affected Versions | Vulnerabilities |
|---------------------------|--------------------------------|---------------------------------------------|
| YoSmart Server | All versions | CVE-2025-59449, CVE-2025-59451 |
| YoLink Smart Hub | Firmware version 0382 | CVE-2025-59452 |
| YoLink Mobile Application | Versions before 1.40.45 | CVE-2025-59448 |
---
Conclusion
The discovery of these vulnerabilities in the YoLink Smart Hub underscores the critical importance of robust security practices in smart home ecosystems. While YoSmart has taken steps to address these flaws, users must proactively update their devices and implement defensive measures to minimize risks.
As smart home adoption continues to grow, manufacturers and users alike must prioritize security-by-design principles to prevent similar vulnerabilities in the future. For now, staying informed and applying updates remains the best defense against potential exploitation.
---
References
[^1]: CISA. "[ICSA-26-013-03 YoSmart YoLink Smart Hub Vulnerabilities](https://www.cisa.gov/news-events/ics-advisories/icsa-26-013-03)". Retrieved 2025-01-24.
[^2]: Bishop Fox. "YoLink Smart Hub Vulnerability Research". Retrieved 2025-01-24.
[^3]: MITRE. "[CWE-863: Incorrect Authorization](https://cwe.mitre.org/data/definitions/863.html)". Retrieved 2025-01-24.
[^4]: MITRE. "[CWE-340: Generation of Predictable Numbers or Identifiers](https://cwe.mitre.org/data/definitions/340.html)". Retrieved 2025-01-24.
[^5]: MITRE. "[CWE-319: Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html)". Retrieved 2025-01-24.