YoSmart YoLink Smart Hub

MonitorCVSS 5.8ICS-CERT ICSA-26-013-03Jan 13, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

YoSmart YoLink Smart Hub and YoLink Mobile Application contain multiple authorization and cryptographic vulnerabilities (CWE-863, CWE-340, CWE-319) that allow remote attackers to control other users' smart home devices, intercept sensitive data, and hijack user sessions. The vulnerabilities affect all versions of the YoSmart server, YoLink Mobile Application versions before 1.40.45, and YoLink Smart Hub 0382. YoSmart has patched the server backend; the mobile application requires user updates; and the Smart Hub 0382 will not receive a patch.

What this means

What could happen

An attacker could remotely control other users' smart home devices connected to YoLink Smart Hubs and intercept sensitive data like authentication tokens or user credentials, potentially giving them persistent access to a user's smart home system.

Who's at risk

Users of YoLink Smart Hub home automation devices and the YoLink mobile app are affected. This is consumer smart home equipment, but organizations using YoLink devices for facilities automation (HVAC, lighting, access control) or monitoring should assess if the devices control critical systems.

How it could be exploited

An attacker on the network could intercept unencrypted communications between the YoLink Mobile Application and YoSmart server, or exploit improper authorization checks on the server backend to access or control devices belonging to other users without their credentials.

Prerequisites

Network access to YoSmart server communications (internet-facing)
No authentication required to exploit the authorization vulnerabilities

remotely exploitableno authentication requiredlow complexityimproper authorization (CWE-863)weak encryption/cleartext transmission (CWE-319)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

1 with fix1 pending1 EOL

ProductAffected VersionsFix Status

YoSmart server: vers:all/*All versionsFix available

YoLink Mobile Appication: <v1.40.45<v1.40.45No fix yet

YoLink Smart Hub: 03820382No fix (EOL)

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate YoLink Mobile Application to v1.40.45 or later on all user devices

HOTFIXVerify that all YoSmart server backend updates have been deployed by YoSmart (no user action required, but confirm with vendor)

Mitigations - no patch available

0/2

YoLink Smart Hub: 0382 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRecommend users change YoLink credentials and review connected smart home device access logs for unauthorized activity

HARDENINGIsolate YoLink Smart Hub devices to a separate network segment from critical infrastructure if used in a facility control context

CVEs (4)

CVE-2025-59449 CVE-2025-59452 CVE-2025-59448 CVE-2025-59451

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/564f47f3-8309-4603-b930-d84d5adc8cf5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.