CVE-2025-3653
Improper Access Control in Petlibro Feeder Enables Device Hijacking
Publication date: 2026-01-04
Last updated on: 2026-02-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| petlibro | smart_pet_feeder_platform | to 1.7.31 (inc) |
| petlibro | petlibro | to 1.7.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-612 | The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Petlibro Smart Pet Feeder Platform versions up to 1.7.31 is an improper access control issue where the platform's API accepts arbitrary serial numbers without verifying device ownership. This allows unauthorized attackers to manipulate any device by sending serial numbers to the device control APIs, enabling them to change feeding schedules, trigger manual feeds, access camera feeds, and modify device settings without authorization. [1]
How can this vulnerability impact me? :
The vulnerability allows attackers to take control of any Petlibro Smart Pet Feeder device remotely without authorization. They can alter feeding schedules, manually trigger feeding, access live camera feeds, and change device settings. This can lead to unauthorized surveillance, disruption of pet feeding routines, and potential privacy violations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring network traffic for unauthorized API calls to the Petlibro Smart Pet Feeder Platform that include arbitrary or unexpected serial numbers being sent to device control endpoints. Since the vulnerability involves accepting arbitrary serial numbers without ownership verification, commands to capture and analyze API requests (e.g., using tools like tcpdump or Wireshark) targeting the device control APIs could help identify suspicious activity. Specific commands might include capturing HTTP requests to the device control API endpoints and inspecting the serial number parameters for anomalies. However, no exact commands are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the Petlibro Smart Pet Feeder Platform APIs to trusted users only, implementing network-level controls such as firewalls or access control lists to prevent unauthorized API calls, and monitoring for suspicious activity involving device control APIs. Additionally, updating the platform to a version that patches this improper access control vulnerability once available is recommended. Since the vulnerability allows unauthorized control via arbitrary serial numbers, ensuring that only authorized users can send API requests is critical. [1]