CVE-2025-59449 is an authorization vulnerability classified under CWE-863 affecting the YoSmart YoLink MQTT broker. The broker fails to enforce sufficient authorization controls, enabling cross-account attacks where an attacker can remotely control devices belonging to other users. The root cause is the predictability of YoLink device IDs, which allows an attacker to guess or enumerate device identifiers and send MQTT commands to those devices without proper authorization checks. The vulnerability affects all versions up to 2025-10-02, with no patches currently available. The CVSS 3.1 base score is 4.9 (medium), reflecting network attack vector, high attack complexity, low privileges required, no user interaction, and partial confidentiality and integrity impact without affecting availability. Exploitation requires the attacker to have network access to the MQTT broker and knowledge or ability to predict device IDs. Once exploited, the attacker can issue commands to devices, potentially manipulating smart home or industrial IoT equipment remotely. This undermines device confidentiality and integrity, potentially leading to unauthorized control, privacy breaches, and operational disruptions. No known exploits have been reported in the wild, but the vulnerability poses a significant risk due to the widespread use of YoLink devices in IoT environments.

For European organizations, the vulnerability could lead to unauthorized remote control of IoT devices, impacting privacy, operational integrity, and potentially safety depending on device function. Confidentiality is compromised as attackers can access device states and control commands. Integrity is affected since attackers can manipulate device behavior, potentially causing incorrect operations or disruptions. Although availability is not directly impacted, indirect effects such as operational disruptions or safety incidents could occur. Organizations relying on YoLink devices for smart building management, industrial automation, or home automation are particularly at risk. The cross-account nature of the attack means that even users with properly secured accounts could have their devices compromised if device IDs are predictable. This could lead to data leakage, unauthorized surveillance, or sabotage of critical IoT infrastructure. The medium CVSS score reflects moderate ease of exploitation but significant potential impact on confidentiality and integrity.

1. Network Segmentation: Isolate the YoLink MQTT broker and associated IoT devices on dedicated network segments with strict access controls to limit exposure to untrusted networks. 2. Access Control: Implement firewall rules to restrict inbound and outbound MQTT traffic to known, authorized IP addresses and devices. 3. Device ID Management: Where possible, randomize or obfuscate device IDs to reduce predictability and enumeration risk. 4. Monitoring and Logging: Deploy anomaly detection systems to monitor MQTT traffic for unusual commands or access patterns indicative of cross-account attacks. 5. Vendor Engagement: Urge YoSmart to release patches that enforce robust authorization checks and improve device ID generation mechanisms. 6. Incident Response: Prepare response plans for potential device compromise, including device reset and credential rotation. 7. User Awareness: Educate users on the risks of sharing device IDs and the importance of securing network access to IoT devices. 8. Firmware Updates: Regularly check for and apply vendor updates once available to remediate the vulnerability. 9. Alternative Solutions: Evaluate alternative IoT platforms with stronger built-in security controls if patching is delayed.