CVE-2025-10910 is an authorization bypass vulnerability categorized under CWE-639, affecting Govee's cloud platform and specifically the H6056 smart lamp device running firmware version 1.08.13. The vulnerability arises from the device binding process, where the server-side API accepts a set of identifiers—"device", "sku", "type", and a client-computed "value"—to associate a device with a user account. Critically, these identifiers are not cryptographically bound to a secret unique to the device, allowing an attacker to forge the binding request. This flaw enables a remote attacker to bind an already online device to their own account without any authentication or user interaction, effectively hijacking the device. The attacker gains full control, including the ability to remove the device from the legitimate owner’s account, causing denial of service and potential privacy breaches. The vendor has responded by deploying server-side security enhancements and automatic firmware updates for the H6056 model. However, devices with hardware versions 1.00.10 and 1.00.11 cannot receive firmware updates due to hardware constraints, leaving them vulnerable. Users with upgradeable hardware must manually update their firmware through the Govee Home app while the device remains connected to WiFi. Although no exploits have been observed in the wild, the vulnerability’s high CVSS score (9.3) reflects its critical nature, with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. The vendor is investigating other Govee models for similar issues, indicating a potential broader impact across their product line.

For European organizations, the impact of CVE-2025-10910 can be significant, especially for enterprises or smart building operators using Govee H6056 lamps or other Govee IoT devices in their infrastructure. An attacker gaining control over these devices can disrupt lighting systems, potentially causing operational disruptions or safety concerns. Furthermore, device hijacking may lead to privacy violations if devices collect or transmit sensitive data. The removal of devices from legitimate accounts can cause service interruptions and require costly remediation efforts. In environments where IoT devices are integrated into larger automation or security systems, this vulnerability could be leveraged as a foothold for lateral movement or further attacks. Although no exploits are currently known in the wild, the ease of exploitation and critical severity necessitate urgent attention. The inability to patch certain hardware versions increases risk for organizations with older devices. The vendor’s ongoing investigation into other models suggests that the threat landscape may expand, requiring continuous vigilance. Overall, European organizations using Govee devices should assess their exposure, prioritize patching, and monitor for suspicious activity to mitigate potential operational and security impacts.

1. Immediately verify the firmware version of all Govee H6056 devices and update to the latest patched version using the Govee Home app, ensuring devices remain connected to WiFi during the update process. 2. For devices with hardware versions 1.00.10 or 1.00.11 that cannot be updated, consider device replacement to eliminate exposure. 3. Monitor the vendor’s communications for updates on other potentially affected Govee models and apply patches or mitigations as they become available. 4. Implement network segmentation for IoT devices to limit exposure and reduce the risk of lateral movement if a device is compromised. 5. Enforce strict access controls and monitoring on accounts managing IoT devices to detect unauthorized device binding or unusual account activity. 6. Employ anomaly detection tools to identify unexpected device behavior or control changes. 7. Engage with Govee support to confirm device status and receive guidance on secure configurations. 8. Maintain an inventory of all IoT devices and their firmware/hardware versions to prioritize remediation efforts. 9. Educate users and administrators about the vulnerability and the importance of timely updates. 10. Consider deploying additional endpoint security solutions that can detect or block unauthorized API calls related to device binding.