CVE-2025-11634
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-12

Last updated on: 2025-10-30

Assigner: VulDB

Description
A security flaw has been discovered in Tomofun Furbo 360 and Furbo Mini. This affects an unknown part of the component UART Interface. The manipulation results in information disclosure. An attack on the physical device is feasible. The exploit has been released to the public and may be exploited. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-12
Last Modified
2025-10-30
Generated
2026-05-07
AI Q&A
2025-10-12
EPSS Evaluated
2026-05-05
NVD
CVE-2025-11634
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
furbo furbo_mini_firmware to 074 (inc)
furbo furbo_mini *
furbo furbo_360_dog_camera_firmware to 036 (inc)
furbo furbo_360_dog_camera *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Tomofun Furbo 360 and Furbo Mini devices through their UART interface. An attacker with physical access to the UART interface can extract sensitive information such as Firmware URL, SecretKey, DeviceToken, and DeviceId from log files. Using this information, the attacker can retrieve and decrypt the device's firmware, impersonate the device, and upload malicious files to a debug server, potentially compromising the device. [1, 2]


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized disclosure of sensitive device information, allowing an attacker with physical access to decrypt firmware and impersonate the device. This can result in malicious firmware uploads and device compromise. However, exploitation requires physical access and no remote attack is possible. The impact is limited to confidentiality, with no effect on integrity or availability. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability requires physical access to the UART interface of the affected Tomofun Furbo 360 and Furbo Mini devices. Detection involves physically connecting to the UART interface and inspecting log files for sensitive information such as Firmware URL, SecretKey, DeviceToken, and DeviceId. There are no known remote detection methods or specific commands provided. Since the attack is local and hardware-based, network detection is not applicable. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting physical access to the affected devices to prevent exploitation via the UART interface. Since no vendor response or patches are available and no known mitigations exist, it is recommended to consider replacing affected devices with alternatives. Monitoring physical security and device usage is critical. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart