Deral Heiland, principal security consultant at security firm Rapid7, explained in an email this week that the vulnerabilities can be used to attack home and enterprise networks, which if fully exploited could allow an attacker to pivot access into an internal network.
That could lead to browser-based attacks against a user.
Another severe weakness in the smart home device allows an attacker to identify the wireless network's password. The devices use short, eight-character codes, which can be easily cracked within a matter of minutes or hours.
Osram, a Germany-based company, remains a mid-level smart lighting player, behind Philips Hue and Belkin.
A spokesperson for Osram said in an email that the flaws will be patched in a release planned for August. But flaws that relate to ZigBee, the wireless protocol used in many smart home appliances, are "unfortunately not in Osram's area of influence."
It's not the first time a smart home tech company has fallen at the first security hurdle.
Smart home technology has seen an intense focus in recent months, given the explosion in the Internet of Things space. Manufacturers of these internet-connected devices have, however, faced criticism for putting functionality over security. Common flaws in smart home devices can allow hackers to collect data or conduct surveillance.
Heiland said Osram indicated that the next round of patches would fix all the flaws, with the exception of two lesser flaws.