Remote Control Vulnerability in Govee Cloud Platform and Devices
CVE-2025-10910

9.3CRITICAL

Key Information:

Vendor: Govee
Status: H6056
Vendor: CVE Published:; 18 December 2025

What is CVE-2025-10910?

A significant security flaw in Govee's cloud platform allows remote attackers to bind legitimate Govee devices to their own accounts. This breach enables unauthorized full control over the device, effectively removing it from its rightful owner. The vulnerability is rooted in the server-side API's inadequate binding process, where device identifiers are not securely linked to a client-verified secret. While verified on the Govee H6056 lamp device running firmware version 1.08.13, the issue could also extend to other Govee devices. Users are advised to upgrade to newer models that receive security updates, as some devices may no longer be supported.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

H6056 1.08.13

References

https://cert.pl/en/posts/2025/12/CVE-2025-10910/

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Dec 18, 2025
Vulnerability Reserved
Sep 24, 2025

Credit

Jan Adamski (NASK - PIB)

Marek Janiszewski (NASK - PIB)

JSON

Govee

What is CVE-2025-10910?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.