CVE-2025-10204
HIGH EXPLOITED NUCLEILG Electronics AC Smart II - Unauthenticated Administrator Password Change via Hidden Form
Title source: llmExploitation Summary
CVE-2025-10204 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
A vulnerability has been discovered in AC Smart II where passwords can be changed without authorization. This page contains a hidden form for resetting the administrator password. The attacker can manipulate the page using developer tools to display and use the form. This form allows you to change the administrator password without verifying login status or user permissions.
Nuclei Templates (1)
AC Smart II - Authentication Bypass
HIGHVERIFIEDby theeldruin
Shodan:
html:"Doc/WebLogin.asp"
FOFA:
body="Doc/WebLogin.asp"
References (1)
Core 1
Core References
Various Sources vendor-advisory
https://lgsecurity.lge.com/bulletins
Scores
CVSS v4
7.1
EPSS
0.0245
EPSS Percentile
85.6%
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2025-12-31
CWE
CWE-306
Status
published
Products (1)
LG Electronics/AC Smart II
2.1.9
Published
Sep 14, 2025
Tracked Since
Feb 18, 2026