CVE-2025-11644
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in Tomofun Furbo 360 and Furbo Mini. Affected by this issue is some unknown functionality of the component UART Interface. Executing manipulation can lead to insecure storage of sensitive information. The physical device can be targeted for the attack. This attack is characterized by high complexity. The exploitation is known to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-12
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-10-12
EPSS Evaluated
2026-05-05
NVD
CVE-2025-11644
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
furbo furbo_mini_firmware to 074 (inc)
furbo furbo_mini *
furbo furbo_360_dog_camera_firmware to 036 (inc)
furbo furbo_360_dog_camera *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Tomofun Furbo 360 and Furbo Mini devices, specifically an unknown function within the UART interface. It involves insecure storage of sensitive information such as Wi-Fi credentials in a file that is not cleared by factory reset. An attacker with physical access to the device can connect via UART and extract this sensitive data, potentially exposing the previous owner's Wi-Fi SSID and password. [3, 4]


How can this vulnerability impact me? :

If you have a previously owned Furbo 360 or Furbo Mini device, an attacker with physical access could extract your Wi-Fi credentials from the device. This could allow unauthorized access to your home network and potentially enable geo-location of your home using services like Wigle.net. The attack requires physical access and is considered difficult to exploit, but the exploit is publicly available. [3, 4]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability requires physical access to the affected Tomofun Furbo 360 or Furbo Mini device and involves accessing the UART interface to extract sensitive information stored insecurely. Detection involves physically connecting to the device's UART interface and inspecting the contents of the file /mnt/flash/config.json, which stores Wi-Fi credentials and is not cleared by factory reset. There are no specific network-based detection commands since exploitation is local and physical. Commands to inspect the file on the device (if shell access is available) could include: cat /mnt/flash/config.json to view stored credentials. However, no remote or network commands are provided or known for detection. [3, 4]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include physically securing the device to prevent unauthorized physical access, as exploitation requires local physical access via UART. Since factory resets do not clear sensitive stored data and no vendor patches or mitigations are available, the recommended action is to replace affected devices with non-vulnerable versions. No software or firmware updates are currently available, and no other mitigations or countermeasures are known. [4]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart