CVE-2025-10204 HIGH

CVE-2025-10204: Unauth Admin Reset Password on AC Smart II

Vendor Lg Electronics
Product AC Smart II
Weakness CWE-306 · Missing auth
Published September 14, 2025
Last update September 15, 2025

CVSS base score

7.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability has been discovered in AC Smart II where passwords can be changed without authorization. This page contains a hidden form for resetting the administrator password. The attacker can manipulate the page using developer tools to display and use the form. This form allows you to change the administrator password without verifying login status or user permissions.

Key dates

02Disclosure timeline

September 14, 2025 CVE published
September 15, 2025 Record updated