CVE-2025-11641
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-12

Last updated on: 2025-10-30

Assigner: VulDB

Description
A vulnerability was determined in Tomofun Furbo 360 and Furbo Mini. This impacts an unknown function of the component Trial Restriction Handler. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The attack is considered to have high complexity. The exploitability is said to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-12
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11641
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
furbo furbo_mini_firmware to 074 (inc)
furbo furbo_mini *
furbo furbo_360_dog_camera_firmware to 036 (inc)
furbo furbo_360_dog_camera *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11641 is an access control vulnerability in Tomofun Furbo 360 and Furbo Mini devices affecting the Trial Restriction Handler component. It allows an attacker with physical access to the device to bypass trial restrictions by manipulating the device's MAC address, which resets the 30-day premium trial period repeatedly. This results in unauthorized unlimited access to premium features without proper authorization. Exploitation is difficult and requires physical access, with no authentication needed. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with physical access to your Tomofun Furbo 360 or Furbo Mini device to bypass trial restrictions and gain unlimited access to premium features without paying or proper authorization. This compromises the device's intended usage controls and may affect the confidentiality, integrity, and availability of the device's features. [1, 2]

Detection Guidance

This vulnerability requires physical access to the device and involves manipulation of the device's MAC address to bypass trial restrictions. Detection on a network or system via commands is not feasible because the exploit does not rely on network activity or remote access. There are no known public exploits or detection commands available. [1, 2]

Mitigation Strategies

No known countermeasures or mitigations exist for this vulnerability. The recommended immediate step is to replace affected devices with alternative products. Since the vendor has not responded and no patches are available, physical security to prevent unauthorized access is also advised. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11641. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart