BACK TO NEWS
CERT AdvisoriesLowBREAKING

Critical Vulnerabilities in YoSmart YoLink Smart Hub Expose Smart Homes to Remote Attacks

2 min readSource: CISA Cybersecurity Advisories

CISA warns of severe flaws in YoSmart YoLink Smart Hub (CVE-2026-23456, CVE-2026-23457) enabling device takeover, data interception, and session hijacking.

View the full CSAF advisory here

Critical Flaws in YoSmart YoLink Smart Hub Enable Remote Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed multiple critical vulnerabilities in YoSmart YoLink Smart Hub, a widely used smart home automation device. Successful exploitation of these flaws could allow threat actors to remotely control connected smart home devices, intercept sensitive data, and hijack user sessions—posing severe risks to residential and small business IoT ecosystems.

Technical Details

The vulnerabilities affect YoSmart YoLink Smart Hub firmware versions prior to 4.1.2.6 and are tracked under the following CVE IDs:

  • CVE-2026-23456Improper Authentication (CVSS 9.8): Allows unauthenticated attackers to bypass authentication mechanisms via crafted network requests, granting unauthorized access to the device.
  • CVE-2026-23457Insecure Direct Object Reference (CVSS 8.5): Enables attackers to manipulate device IDs or session tokens, leading to session hijacking or unauthorized control of other users’ smart home devices.

Additional technical specifics, including proof-of-concept (PoC) details, are available in the CSAF advisory.

Impact Analysis

If exploited, these vulnerabilities could result in:

  • Unauthorized remote control of smart locks, cameras, thermostats, and other IoT devices connected to the YoLink Hub.
  • Interception of sensitive data, including device credentials, network traffic, and user activity logs.
  • Session hijacking, allowing attackers to impersonate legitimate users and execute commands on their behalf.
  • Lateral movement within smart home networks, potentially compromising additional devices.

The high CVSS scores (9.8 and 8.5) underscore the urgency of patching, particularly given the hub’s role as a central control point for smart home ecosystems.

Recommendations for Security Teams

CISA and YoSmart urge users to take the following actions immediately:

  1. Apply the latest firmware update (v4.1.2.6 or later) via the YoLink mobile app or official website.
  2. Isolate the YoLink Hub from untrusted networks until patches are applied.
  3. Monitor network traffic for unusual activity, such as unauthorized API calls or device reconfigurations.
  4. Enforce strong authentication for all connected IoT devices, including multi-factor authentication (MFA) where possible.
  5. Review CISA’s advisory for additional mitigation strategies and indicators of compromise (IoCs).

For further guidance, refer to the official CISA advisory (ICSA-26-013-03).

This is a developing story. Updates will be provided as more information becomes available.

Share

TwitterLinkedIn