CVE-2025-10204 is a high-severity vulnerability affecting LG Electronics' AC Smart II product, specifically version 2.1.9. The vulnerability is categorized under CWE-306, which refers to missing authentication for a critical function. In this case, the critical function is the ability to change the administrator password. The vulnerability arises because the web interface of AC Smart II contains a hidden form designed for resetting the administrator password. This form is not properly protected by authentication or authorization checks. An attacker with network access to the device's management interface can manipulate the page using browser developer tools to reveal and interact with this hidden form. Because the form does not verify the login status or user permissions, the attacker can change the administrator password without any authentication or user interaction. The CVSS 4.0 base score is 7.1 (high), with the vector indicating that the attack requires adjacent network access (AV:A), has low attack complexity (AC:L), requires no privileges (PR:N), no user interaction (UI:N), and results in a high impact on availability (VA:H) but no impact on confidentiality or integrity. This suggests the primary impact is denial of service or loss of administrative control rather than data leakage or modification. No known exploits are reported in the wild yet, and no patches have been published at the time of this report. The vulnerability could allow an attacker to lock out legitimate administrators by changing the password, potentially disrupting device management and operations.

For European organizations using LG Electronics AC Smart II devices, this vulnerability poses a significant risk to operational continuity and device management security. Since the vulnerability allows unauthorized password changes without authentication, attackers could gain administrative control or lock out legitimate administrators, leading to denial of service or operational disruptions. This is particularly critical for organizations relying on these devices for climate control or other essential functions within their facilities. The lack of confidentiality or integrity impact reduces the risk of data breaches, but the loss of availability and control could impact business operations, especially in sectors like manufacturing, healthcare, or critical infrastructure where environmental controls are vital. Additionally, the vulnerability requires only adjacent network access, meaning attackers need to be on the same local network or connected via VPN, which is plausible in many enterprise environments. Given the absence of user interaction requirements, exploitation can be automated or performed stealthily by insiders or lateral movement attackers. The lack of patches increases the window of exposure, emphasizing the urgency for mitigation.

1. Network Segmentation: Restrict access to the AC Smart II management interface to trusted network segments only. Use VLANs and firewall rules to limit access to authorized personnel and systems. 2. Access Controls: Implement strong network access controls such as VPNs with multi-factor authentication for remote access to the device management interface. 3. Monitoring and Logging: Enable detailed logging on the device and network to detect unusual access patterns or attempts to access hidden forms. Monitor for unauthorized password changes or configuration modifications. 4. Device Hardening: Disable or restrict access to any hidden or debug forms if possible, through configuration or firmware updates. 5. Vendor Coordination: Engage with LG Electronics to obtain patches or firmware updates addressing this vulnerability. Apply updates promptly once available. 6. Incident Response Preparedness: Prepare incident response plans to quickly recover device access if an unauthorized password change occurs, including physical access procedures if necessary. 7. User Awareness: Train network administrators and users about the risks of adjacent network attacks and the importance of securing local networks against unauthorized access. These steps go beyond generic advice by focusing on network-level controls, monitoring, and vendor engagement specific to the nature of this vulnerability.