CVE-2025-10910

Name of the Vulnerable Software and Affected Versions Govee devices (affected versions not specified) Govee H6056 - lamp firmware version 1.08.13

Description A flaw in the binding process of Govee’s cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting in full control of the device and removal of the device from its legitimate owner’s account. The server-side API allows device association using identifiers: device, sku, type, and a client-computed value, which are not cryptographically bound to a secret originating from the device itself. This allows for trivial device takeover via identifier manipulation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.