YoSmart YoLink MQTT Broker Cross-Account Authorization Vulnerability

A vulnerability in the YoSmart YoLink MQTT broker, present in versions through October 2, 2025, allows for cross-account attacks by failing to enforce proper authorization controls. This flaw enables an attacker to remotely control devices of other users if they acquire the corresponding device IDs. The predictability of YoLink device IDs further facilitates this exploitation, potentially leading to unauthorized access and control over various smart home devices, including locks and garage door openers.

Impact

Exploitation of this vulnerability allows for unauthorized control of YoLink devices belonging to other users, with the potential to unlock smart locks or open garage doors, depending on the devices targeted.

Reproduction

The vulnerability can be reproduced by obtaining the MQTT credentials for a YoLink account and then using those credentials to publish commands to devices associated with a different account. This can be done by calculating the device ID of a YoLink smart lock and sending a command to unlock it, all while authenticated to a separate account.

Remediation

Users are advised to treat the YoLink hub as untrusted, disconnect it from critical networks, avoid using it for access control, and consider switching to vendors that provide regular security updates.