This store requires javascript to be enabled for some features to work correctly.
YoSmart Security Advisory
YOSMART-SA-2025-001
Published: 2025-10-10
Last Updated: 2025-11-4
Severity: Multiple (See Details)
1. Summary
YoSmart received a report from a third-party security research firm identifying four vulnerabilities affecting YoSmart cloud services, the YoLink Application, and YoLink device firmware.
YoSmart has investigated all findings and confirms that all issues have been resolved through server-side patches, firmware updates, and application updates. We thank the researchers for their coordinated disclosure.
2. Vulnerability Details
CVE-2025-59449 & CVE-2025-59451: MQTT Interface Authentication Bypass
- Description: A flaw existed in the YoSmart server's internal caching system, which could lead to an authentication bypass for the MQTT interface used by the YoLink App.
- Severity: Medium & Low
- CVSS Score: 4.9 & 3.5
- Status: Resolved
- Solution: A fix has been deployed by our engineering team on the server backend. This issue is fully resolved.
- User Impact: No user action is required. All users are protected.
CVE-2025-59452: YoLink Device Firmware Vulnerability
- Description: A flaw was identified in the legacy authentication algorithm for the YoLink Hub's profile API. The algorithm relied on a static slot that was at risk of exposure, potentially allowing authentication bypass.
- AffectedProducts: YS1603
- Severity: Medium
- CVSS Score: 5.8
- Status: Resolved
- Solution: The API has been updated to support a new, dynamic authentication algorithm, and Hub firmware version 0383 has been released concurrently.
- User Impact: Once a Hub device is updated to version 0383, the API will recognize the update and reject any attempts from that device to use the old (vulnerable) authentication algorithm. Affected devices are being automatically updated in stages via OTA (Over-the-Air). No manual user action is required, though users may verify their firmware version in the YoLink App.
CVE-2025-59448: Insecure Data Transmission in YoLink Application
- Description: Certain communications in older versions of the YoLink application did not enforce SSL encryption, creating a risk of insecure data transmission.
- Severity: Medium
- CVSS Score: 4.7
- Status: Resolved
- Solution: This issue was resolved in YoLink App v1.40.45 (released June 2025) by enforcing SSL encryption.
- User Impact: Users running v1.40.45 or newer are protected.
- User Recommendation: YoSmart strongly recommends all users keep their YoLink app updated to the latest version available in the Google Play or Apple App Store.
3. Solution Summary
| Vulnerability (CVE) | Affected Component | Solution | User Action Required? |
| CVE-2025-59449 | YoSmart Cloud Server | Server-side patch (Deployed) | No |
| CVE-2025-59451 | YoSmart Cloud Server | Server-side patch (Deployed) | No |
| CVE-2025-59452 | YoLink Hub - YS1603 | Firmware 0383 (Automatic OTA) | No (Verify) |
| CVE-2025-59448 | YoLink Application | App v1.40.45 or newer | Yes (Ensure app is updated) |
4. Acknowledgements
YoSmart is committed to the security and integrity of our customers, products, and services. We appreciate the valuable contributions of Nick Cerne and CERT/CC in the coordinated disclosure process.
5. Contact
For any questions regarding this advisory, please contact yaochi@yosmart.com.