CVE-2025-10204 is a high-severity vulnerability affecting LG Electronics' AC Smart II product, version 2.1.9. The vulnerability is classified under CWE-306, which pertains to missing authentication for critical functions. Specifically, the issue arises from a hidden form within the AC Smart II interface that allows resetting the administrator password without any authentication or authorization checks. An attacker with network access to the device's management interface can manipulate the page using browser developer tools to reveal and submit this hidden password reset form. Because the form does not verify the login status or user permissions, the attacker can change the administrator password arbitrarily. This effectively grants full administrative control over the device without requiring any credentials or user interaction. The CVSS 4.0 score is 7.1 (high), with an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a high impact on availability (VA:H). The vulnerability does not impact confidentiality or integrity directly but severely affects availability by enabling unauthorized administrative access, which can lead to device misuse, denial of service, or further compromise. No known exploits are currently in the wild, and no patches have been published yet. The vulnerability was publicly disclosed on September 14, 2025.

For European organizations, this vulnerability poses a significant risk, especially for those deploying LG AC Smart II devices in critical infrastructure, commercial buildings, or smart facility management systems. Unauthorized password resets can lead to complete takeover of the device, allowing attackers to disrupt HVAC controls, cause denial of service, or use the compromised device as a foothold for lateral movement within internal networks. This could impact operational continuity, energy management, and physical environment controls, potentially leading to safety hazards or financial losses. Given the low attack complexity and no requirement for authentication or user interaction, attackers with network access (e.g., internal network or adjacent wireless networks) can exploit this vulnerability easily. The lack of patches increases the window of exposure. Organizations relying on these devices for environmental control should consider this a critical operational risk.

Since no official patch is currently available, European organizations should implement immediate compensating controls. These include restricting network access to the AC Smart II management interface by segmenting the network and enforcing strict firewall rules to allow only trusted management stations. Disable or restrict remote management capabilities where possible. Monitor network traffic for unusual access patterns to the device’s web interface, especially attempts to access hidden forms or password reset endpoints. Employ network intrusion detection systems (NIDS) with custom signatures to detect exploitation attempts. Additionally, organizations should engage with LG Electronics for timelines on patches and apply them promptly once available. Consider deploying multi-factor authentication (MFA) at the network level or VPN access for device management to add an additional layer of security. Finally, conduct regular audits of device configurations and access logs to detect unauthorized changes.