Full Report
Authorization Bypass Through User-Controlled Key vulnerability (CVE-2025-10910) has been found in Govee devices with cloud connectivity firmware.
Analysis Summary
# Vulnerability: Authorization Bypass in Govee Cloud Binding
## CVE Details
- CVE ID: CVE-2025-10910
- CVSS Score: Information Not Provided (Severity Not Provided)
- CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
## Affected Systems
- Products: Govee devices with cloud connectivity firmware, specifically identified as **Govee H6056 (lamp device)**.
- Versions: Firmware version **1.08.13** (for H6056). The vulnerability may affect other Govee cloud-connected devices.
- Configurations: Devices utilizing the Govee cloud platform binding process. Note: H6056 devices with hardware versions **1.00.10 or 1.00.11** cannot receive firmware updates due to hardware limitations.
## Vulnerability Description
The vulnerability exists within the binding process between Govee's cloud platform and the connected devices. The server-side API allows device association using a set of identifiers (`device`, `sku`, `type`, and a client-computed `value`). These identifiers are insufficiently cryptographically bound to a secret originating from the physical device itself. This flaw allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting in full control over the device and removal of the device from the legitimate owner’s account.
## Exploitation
- Status: Report indicates disclosure, but not explicitly if exploited in the wild. (Assumed PoC likely exists based on research report).
- Complexity: Not explicitly stated (Likely Medium, requiring interaction with the binding mechanism).
- Attack Vector: Network (Remote via cloud API interaction).
## Impact
- Confidentiality: High (Full control implies access to device data/functionality).
- Integrity: High (Ability to alter device state/control).
- Availability: Medium/High (Ability to remove the device from the legitimate owner's control).
## Remediation
### Patches
- Vendor has deployed server-side security enhancements.
- **Govee H6056 (Firmware 1.08.13):** Automatic firmware updates have been deployed. Most devices should be patched this way.
- **Manual Update for remaining H6056:** Users must keep their device WiFi-connected and follow the steps in the Govee Home app to check for and install the update immediately.
1. Open Govee Home app.
2. Tap the H6056 device card.
3. Tap the settings icon (upper right corner).
4. Navigate to Device Information section (Firmware Version).
5. Tap the **Update** button.
### Workarounds
- For Govee H6056 devices with hardware versions **1.00.10 or 1.00.11**: No firmware update is possible due to hardware limitations. *No specific software workaround provided in the text for these permanently impacted hardware versions.*
## Detection
- Indicators of Compromise: Unauthorized devices appearing on an attacker's account, or legitimate devices suddenly disappearing from the owner's app.
- Detection Methods and Tools: Monitoring outbound traffic patterns associated with device binding/association requests if detailed API calls are available; internal inventory tracking.
## References
- Vendor advisories: Not explicitly linked, but the vendor (Govee) is aware and implementing fixes.
- Relevant links:
- hxxps://incydent.cert.pl/#!/lang=en (Report an incident)
- hxxps://cert.pl/en/cvd/ (CERT Polska Coordinated Vulnerability Disclosure process)