Cybersecurity researchers at Bishop Fox have disclosed multiple vulnerabilities in the YoLink Smart Hub v0382, a $20 gateway used to manage smart locks, sensors and plugs, leaving users exposed to remote attackers, according to a technical write-up shared with Hackread.com. The product is sold as the YoLink Smart Hub (v0382, which acts as the central point of control for the vendor’s ecosystem.
The researchers said they began work earlier this year, performed a physical examination of the hub and identified several previously unknown flaws. They noted the device uses an ESP32 system-on-chip and that the hub communicates with a mobile app via the MQTT protocol and distributes messages to devices using LoRa radio technology, a protocol described in public sources such as LoRa or LoRaWAN, according to the report.
Bishop Fox identified an authorization bypass rated critical and tracked as CVE-2025-59449, as well as a related insufficient-authorization issue (CVE-2025-59452), saying the system does not properly verify user identity before granting access. The NVD entry linked by the article for CVE-2025-59449 is CVE-2025-59449, which the researchers said allows an attacker who obtains predictable device IDs to control devices belonging to other users.
Additional critical flaws reported by Bishop Fox include transmission of sensitive data in clear text (tracked as CVE-2025-59448) and session-management failures (CVE-2025-59451). The researchers said unencrypted MQTT communication can expose credentials and Wi-Fi passwords and that they were able to operate a smart lock in another user’s home during testing.
Bishop Fox warned that the hub’s role as a single control point means an attacker could potentially “obtain physical access to YoLink customers’ homes,” and shared details in a technical blog post. The article noted the manufacturer, YoSmart, has not yet provided a patch or fix.
Until a vendor update is available, the researchers and the reporting advised treating the v0382 hub as unsafe: disconnect it from essential home networks, avoid using it for functions that control physical access, and consider switching to a vendor that issues regular security updates. The researchers said the flaws are publicly disclosed and are being tracked under four separate CVE identifiers.