CVE-2025-11633
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-12

Last updated on: 2025-10-30

Assigner: VulDB

Description
A vulnerability was identified in Tomofun Furbo 360 and Furbo Mini. Affected by this issue is the function upload_file_to_s3 of the file collect_logs.sh of the component HTTP Traffic Handler. The manipulation leads to improper certificate validation. The attack may be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-12
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11633
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
furbo furbo_mini_firmware to 074 (inc)
furbo furbo_mini *
furbo furbo_360_dog_camera_firmware to 036 (inc)
furbo furbo_360_dog_camera *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11633 is a vulnerability in Tomofun Furbo 360 and Furbo Mini devices caused by improper certificate validation in their HTTP Traffic Handler component. The devices use curl with the "-k" option, which disables certificate verification, allowing an attacker positioned upstream to perform a man-in-the-middle attack. This enables the attacker to impersonate the server and intercept HTTPS traffic, including sensitive data such as user account IDs, device IDs, and configurations. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to intercept and decrypt HTTPS traffic between your device and its server. The attacker can access sensitive information like user account IDs, device IDs, and configurations, which can be used to launch more targeted and sophisticated attacks against your device or user account. The integrity of your device's communications is compromised, potentially leading to unauthorized data exposure. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring HTTPS traffic from affected Tomofun Furbo 360 and Furbo Mini devices for signs of man-in-the-middle attacks or improper certificate validation. Since the devices use curl with the "-k" option (which disables certificate verification), you can look for HTTPS requests from these devices that do not properly validate certificates. Network traffic analysis tools like Wireshark can be used to inspect TLS handshakes for anomalies. Additionally, checking device firmware versions to see if they are up to Furbo 360 FB0035_FW_036 or Furbo Mini MC0020_FW_074 can help identify vulnerable devices. Specific commands are not provided in the resources. [1, 2]

Mitigation Strategies

Immediate mitigation steps include replacing affected Tomofun Furbo 360 and Furbo Mini devices running vulnerable firmware versions (up to FB0035_FW_036 for Furbo 360 and up to MC0020_FW_074 for Furbo Mini) with alternatives, as no known countermeasures or patches are currently available. Avoid using these devices on sensitive networks where interception risks are high. Monitor network traffic for suspicious activity and consider isolating these devices to limit exposure. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11633. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart