CVE-2025-59448 identifies a security vulnerability in the YoSmart YoLink ecosystem where components use unencrypted MQTT protocol for communication over the internet. MQTT is a lightweight messaging protocol commonly used in IoT environments. The affected components include the legacy YoLink Mobile Application version 1.40.41 and the YoLink MQTT Broker, which transmit sensitive information in cleartext. This lack of encryption allows an attacker with network traffic monitoring capabilities to eavesdrop on communications, potentially extracting sensitive data or injecting malicious commands to control devices. The YoLink Hub hardware and firmware are not directly vulnerable since they function as transparent gateways for LoRa wireless data and do not process application layer data. The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information). The CVSS v3.1 base score is 4.7 (medium severity), reflecting that the attack vector is adjacent network (AV:A), requires high attack complexity (AC:H), no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality and integrity with low impact but no availability impact. No patches or updates are currently linked, and no exploits are known in the wild. The vulnerability was published on October 6, 2025, with the reservation date of September 16, 2025. The vendor has acknowledged the issue but clarifies it only affects legacy mobile app logic, not the Hub hardware or firmware.

For European organizations using the YoSmart YoLink ecosystem, particularly those relying on the legacy mobile application or MQTT Broker for device management, this vulnerability poses a risk of sensitive data exposure and unauthorized device control. Attackers able to monitor network traffic—such as those on the same local network or with access to ISP-level traffic—could intercept credentials, device commands, or telemetry data. This could lead to privacy breaches, unauthorized manipulation of IoT devices, and potential disruption of business processes dependent on these devices. While the Hub hardware is not directly vulnerable, the ecosystem’s overall security posture is weakened. Sectors with critical IoT deployments, including smart buildings, industrial automation, and healthcare, could face operational risks. The medium CVSS score reflects moderate impact, but the potential for lateral movement or escalation in complex environments cannot be discounted. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often target IoT ecosystems with weak encryption.

European organizations should prioritize migrating away from the legacy YoLink Mobile Application 1.40.41 and the unencrypted MQTT Broker to updated versions that implement secure communication protocols such as MQTT over TLS. Network segmentation should be enforced to isolate IoT device communication from general enterprise traffic, reducing the risk of traffic interception. Deploying VPNs or secure tunnels for remote access to IoT devices can further protect MQTT traffic. Monitoring network traffic for unusual MQTT activity or unauthorized command injection attempts can help detect exploitation attempts. Organizations should engage with the vendor to obtain updates or patches and verify that new releases address the encryption deficiency. Additionally, implementing strong authentication mechanisms for MQTT brokers and enforcing strict access controls will limit unauthorized access. Regular security assessments of IoT ecosystems and employee awareness training on IoT security best practices are recommended to reduce exposure.