YoSmart YoLink Smart Hub

Monitor5.8ICS-CERT ICSA-26-013-03Jan 13, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

YoSmart YoLink Smart Hub and related products contain multiple vulnerabilities (CWE-863 improper authorization, CWE-340 generation of predictable numbers, CWE-319 cleartext transmission) that allow attackers to remotely control other users' smart home devices, intercept sensitive data, and hijack user sessions.

What this means

What could happen

An attacker could intercept and hijack user accounts to remotely control connected smart home devices, access sensitive user data, and potentially manipulate building automation or home energy management systems under an organization's control.

Who's at risk

Organizations using YoSmart YoLink Smart Hub for building automation or home energy management, particularly those managing multiple user accounts or integrating IoT devices into facility control systems. Affects any facility relying on smart home devices for security, HVAC, lighting, or energy management where account hijacking could impact operations.

How it could be exploited

An attacker on the network can send requests to the YoSmart server without authentication to exploit authorization flaws, intercept unencrypted traffic to steal session tokens or credentials, or enumerate and control smart home devices registered to other users' accounts.

Prerequisites

Network access to YoSmart server endpoints
No valid credentials required
Ability to intercept or monitor network traffic to the YoLink service

remotely exploitableno authentication requiredlow complexityno patch available for hub and mobile appcleartext data transmissionimproper authorization controls

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (3)

1 with fix1 pending1 EOL

ProductAffected VersionsFix Status

YoSmart server: vers:all/*All versionsFix available

YoLink Mobile Appication: <v1.40.45<v1.40.45No fix yet

YoLink Smart Hub: 03820382No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HOTFIXYoSmart has resolved CVE-2025-59449 and CVE-2025-59451 on the server backend; monitor for confirmation that the backend patches are deployed and fully operational

WORKAROUNDRestrict network access to YoSmart server endpoints to authorized users only via firewall rules or VPN

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade YoLink Mobile Application to version 1.40.45 or later

HARDENINGMonitor and log all authentication attempts and device control commands from YoLink accounts

Mitigations - no patch available

0/1

YoLink Smart Hub: 0382 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRequire TLS/encrypted communication for all YoLink mobile app and hub communications

CVEs (4)

CVE-2025-59449 CVE-2025-59452 CVE-2025-59448 CVE-2025-59451

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/564f47f3-8309-4603-b930-d84d5adc8cf5