CVE-2025-10910
📋 TL;DR
This vulnerability allows remote attackers to hijack Govee smart devices by binding them to their own accounts through the cloud platform. Attackers gain full control of devices and remove them from legitimate owners' accounts. Primarily affects Govee H6056 lamp devices and potentially other Govee cloud-connected devices.
💻 Affected Systems
- Govee H6056 lamp
- Other Govee cloud-connected devices (potentially)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of control over smart devices, potential physical safety risks if controlling lighting in sensitive environments, and unauthorized access to device functionality.
Likely Case
Device hijacking leading to loss of functionality, potential privacy concerns if devices have cameras or sensors, and inconvenience for legitimate owners.
If Mitigated
Minimal impact with proper patching and network segmentation, though legacy hardware may remain vulnerable.
🎯 Exploit Status
Exploitation requires network access to device and cloud API, but no authentication needed for the binding process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware updates via server-side security enhancements
Vendor Advisory: https://cert.pl/en/posts/2025/12/CVE-2025-10910/
Restart Required: Yes
Instructions:
1. Open Govee Home app 2. Tap H6056 device card 3. Enter device details page 4. Tap settings icon (upper right) 5. Navigate to Device Information > Firmware Version 6. Tap Update button 7. Keep device WiFi-connected during update
🔧 Temporary Workarounds
Network Segmentation
allIsolate Govee devices on separate VLAN or network segment to limit attack surface
Disable Cloud Features
allUse devices in local-only mode if supported to prevent cloud-based attacks
🧯 If You Can't Patch
- Replace hardware versions 1.00.10 and 1.00.11 that cannot receive updates
- Disconnect vulnerable devices from network entirely and use alternative solutions
🔍 How to Verify
Check if Vulnerable:
Check firmware version in Govee Home app: Device Information > Firmware Version. If version is 1.08.13 or earlier, device may be vulnerable.Check Version:
No CLI command available. Use Govee Home app: Device Information > Firmware VersionVerify Fix Applied:
After update, verify firmware version shows updated version in Govee Home app and test device binding functionality.📡 Detection & Monitoring
Log Indicators:
- Unexpected device binding events
- Device disconnection from legitimate accounts
- Multiple account association attempts
Network Indicators:
- Unusual API calls to Govee cloud binding endpoints
- Traffic to/from Govee devices from unexpected sources
SIEM Query:
Not applicable - primarily cloud-based attack with limited local logging