CVE-2025-10910 is an authorization bypass vulnerability classified under CWE-639, impacting Govee's cloud platform and connected devices, specifically verified on the H6056 smart lamp running firmware version 1.08.13. The vulnerability arises from the device binding process, where the server-side API accepts device association requests using identifiers including "device", "sku", "type", and a client-computed "value". Critically, these identifiers are not cryptographically bound to a secret originating from the device itself, allowing an attacker to remotely bind an already online device to their own account without possessing any secret or authentication credentials. This flaw enables the attacker to gain full control over the device and remove it from the legitimate owner's account, effectively hijacking the device. The vulnerability requires no user interaction and can be exploited remotely over the network, making it highly accessible to attackers. Although confirmed on the H6056 model, the vendor acknowledges that other Govee cloud-connected devices may also be vulnerable, but cannot provide a definitive list. The vendor is addressing the issue through firmware updates and server-side fixes; however, devices that have reached end-of-life and no longer receive security support must be replaced to ensure protection. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates a critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.

For European organizations, the impact of this vulnerability is significant, particularly for those deploying Govee smart devices in office environments, smart buildings, or employee homes where these devices are connected to corporate networks or used for automation. Unauthorized control over devices can lead to privacy violations, unauthorized surveillance, or disruption of device functionality. Attackers could remove devices from legitimate accounts, causing operational disruptions and potential loss of trust in smart infrastructure. In sectors such as healthcare, education, or government offices where smart devices may be used for environmental controls or monitoring, this could lead to safety risks or data leakage. The lack of authentication and ease of exploitation increases the likelihood of attacks, especially in environments with less stringent network segmentation or IoT security policies. Additionally, the inability to verify affected devices beyond the H6056 model complicates risk assessment and mitigation efforts, potentially exposing a broader range of devices to compromise.

European organizations should immediately verify if they use Govee H6056 devices or other Govee cloud-connected products and identify firmware versions in use. They must apply the vendor's firmware updates as soon as they become available and ensure server-side patches are deployed by the vendor. For devices that have reached end-of-life and no longer receive security updates, organizations should plan for prompt replacement with newer, supported models. Network segmentation should be enforced to isolate IoT devices from critical infrastructure and sensitive data networks, reducing the attack surface. Monitoring device account bindings and unusual device ownership changes can help detect exploitation attempts. Implementing multi-factor authentication and additional verification steps for device binding on the cloud platform, if supported, can mitigate unauthorized binding risks. Organizations should also review and tighten access controls on cloud accounts managing IoT devices and educate users on the risks of unauthorized device control. Finally, maintaining an inventory of IoT devices and their firmware versions will aid in rapid response to emerging vulnerabilities.