Remote Control Vulnerability in Govee Cloud Platform and Devices
CVE-2025-10910

9.3CRITICAL

Key Information:

Vendor: Govee
Status: H6056
Vendor: CVE Published:; 18 December 2025

What is CVE-2025-10910?

A significant security flaw in Govee's cloud platform allows remote attackers to bind legitimate Govee devices to their own accounts. This breach enables unauthorized full control over the device, effectively removing it from its rightful owner. The vulnerability is rooted in the server-side API's inadequate binding process, where device identifiers are not securely linked to a client-verified secret. While verified on the Govee H6056 lamp device running firmware version 1.08.13, the issue could also extend to other Govee devices. Users are advised to upgrade to newer models that receive security updates, as some devices may no longer be supported.

Affected Version(s)

H6056 1.08.13

References

https://cert.pl/en/posts/2025/12/CVE-2025-10910/

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2025
Vulnerability Reserved
Sep 24, 2025

Credit

Jan Adamski (NASK - PIB)

Marek Janiszewski (NASK - PIB)

JSON