CVE-2025-11644
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in Tomofun Furbo 360 and Furbo Mini. Affected by this issue is some unknown functionality of the component UART Interface. Executing manipulation can lead to insecure storage of sensitive information. The physical device can be targeted for the attack. This attack is characterized by high complexity. The exploitation is known to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-12
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11644
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
furbo furbo_mini_firmware to 074 (inc)
furbo furbo_mini *
furbo furbo_360_dog_camera_firmware to 036 (inc)
furbo furbo_360_dog_camera *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Tomofun Furbo 360 and Furbo Mini devices, specifically an unknown function within the UART interface. It involves insecure storage of sensitive information such as Wi-Fi credentials in a file that is not cleared by factory reset. An attacker with physical access to the device can connect via UART and extract this sensitive data, potentially exposing the previous owner's Wi-Fi SSID and password. [3, 4]

Impact Analysis

If you have a previously owned Furbo 360 or Furbo Mini device, an attacker with physical access could extract your Wi-Fi credentials from the device. This could allow unauthorized access to your home network and potentially enable geo-location of your home using services like Wigle.net. The attack requires physical access and is considered difficult to exploit, but the exploit is publicly available. [3, 4]

Detection Guidance

This vulnerability requires physical access to the affected Tomofun Furbo 360 or Furbo Mini device and involves accessing the UART interface to extract sensitive information stored insecurely. Detection involves physically connecting to the device's UART interface and inspecting the contents of the file /mnt/flash/config.json, which stores Wi-Fi credentials and is not cleared by factory reset. There are no specific network-based detection commands since exploitation is local and physical. Commands to inspect the file on the device (if shell access is available) could include: cat /mnt/flash/config.json to view stored credentials. However, no remote or network commands are provided or known for detection. [3, 4]

Mitigation Strategies

Immediate mitigation steps include physically securing the device to prevent unauthorized physical access, as exploitation requires local physical access via UART. Since factory resets do not clear sensitive stored data and no vendor patches or mitigations are available, the recommended action is to replace affected devices with non-vulnerable versions. No software or firmware updates are currently available, and no other mitigations or countermeasures are known. [4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart