CVE-2025-10910
Unknown Unknown - Not Provided
Unauthorized Device Binding in Govee Cloud API Enables Account Takeover

Publication date: 2025-12-18

Last updated on: 2025-12-18

Assigner: CERT.PL

Description
A flaw in the binding process of Govee’s cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting in full control of the device and removal of the device from its legitimate owner’s account. The server‑side API allows device association using a set of identifiers: "device", "sku", "type", and a client‑computed "value", that are not cryptographically bound to a secret originating from the device itself. The vulnerability has been verified for the Govee H6056 - lamp device in firmware version 1.08.13, but may affect also other Govee cloud‑connected devices. The vendor is not able to provide a list of affected products, but rolls out a firmware and server-side fixes. Devices that reached end‑of‑life for security support need replacement with newer models supporting updates.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10910
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
govee h6056 1.08.13
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authorization bypass in the binding process between Govee's cloud platform and its devices. It allows a remote attacker to bind an already online Govee device, such as the H6056 lamp running firmware 1.08.13, to the attacker's account. This happens because the server-side API uses device identifiers and a client-computed value that are not cryptographically tied to a secret from the device itself, enabling unauthorized binding. As a result, the attacker gains full control of the device and can remove it from the legitimate owner's account. [1]

Impact Analysis

The vulnerability can impact you by allowing an attacker to take full control of your Govee device remotely. The attacker can bind your device to their own account, effectively removing your access and control over the device. This could lead to loss of device functionality, unauthorized use, and potential privacy or security risks associated with the compromised device. [1]

Mitigation Strategies

Immediate mitigation steps include updating the firmware of your Govee devices to the latest version provided by the vendor and applying any server-side fixes deployed by Govee. For devices that have reached end-of-life and no longer receive security updates, replacement with newer models that support updates is recommended to ensure protection against this vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10910. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart