CVE-2025-59449 is a vulnerability classified under CWE-863 (Incorrect Authorization) affecting the YoSmart YoLink MQTT broker up to version 0, published on October 6, 2025. The core issue lies in the broker's failure to enforce sufficient authorization controls, which allows an attacker to perform cross-account attacks by remotely controlling devices associated with other users. The attack vector is network-based (AV:N), requiring low privileges (PR:L) but no user interaction (UI:N). The vulnerability's scope is changed (S:C), meaning it can affect resources beyond the initially compromised component. The confidentiality and integrity impacts are low (C:L, I:L), with no impact on availability (A:N). The vulnerability arises because YoLink device IDs are predictable, enabling attackers to guess or enumerate device IDs and gain unauthorized control over devices. This flaw allows attackers to bypass intended access controls and operate devices remotely, potentially leading to privacy breaches or unauthorized manipulation of IoT devices. No patches or known exploits are currently available, but the predictable nature of device IDs and insufficient authorization checks make this a notable risk. The vulnerability affects all versions up to the reported one, and the lack of user interaction required increases the risk of automated exploitation attempts.

For European organizations, this vulnerability poses a risk primarily to those deploying YoLink IoT devices, especially in smart home or building automation contexts. Unauthorized control over devices can lead to privacy violations, unauthorized surveillance, or manipulation of physical environments, potentially affecting employee safety or operational integrity. While the impact on availability is none, the compromise of confidentiality and integrity could lead to loss of trust, regulatory non-compliance (e.g., GDPR concerns), and reputational damage. The medium CVSS score reflects moderate risk, but the ease of guessing device IDs and network-based exploitation could increase the threat in environments with weak network segmentation or insufficient monitoring. Organizations relying on these devices for critical functions should consider the risk of unauthorized access and potential lateral movement within their networks.

To mitigate this vulnerability, organizations should: 1) Immediately audit and inventory all YoLink devices in use to understand exposure. 2) Work with YoSmart to obtain patches or firmware updates that enforce strict authorization checks and eliminate predictable device IDs. 3) Implement network segmentation to isolate IoT devices from critical infrastructure and sensitive data networks. 4) Employ network monitoring and anomaly detection to identify unusual device control commands or access patterns. 5) Use strong authentication and authorization mechanisms at the MQTT broker level, including mutual TLS or token-based authentication where possible. 6) Rotate or randomize device identifiers if supported, or restrict access to device IDs to trusted users only. 7) Educate users and administrators about the risks of device ID exposure and encourage secure device management practices. 8) Consider disabling remote access features until patches are applied or mitigations are in place.