CVE-2025-11646 in Furbo 360
Summary
by MITRE • 10/13/2025
A vulnerability was detected in Tomofun Furbo 360 and Furbo Mini. This vulnerability affects unknown code of the component GATT Service. The manipulation results in improper access controls. The attack can only be performed from the local network. The exploit is now public and may be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/27/2025
This vulnerability in Tomofun Furbo 360 and Furbo Mini devices represents a critical access control flaw within the Bluetooth GATT service implementation. The issue stems from improper access controls in the GATT service component, which serves as the foundation for Bluetooth Low Energy communication between the device and mobile applications. GATT services define how data is structured and accessed over Bluetooth connections, making them crucial attack vectors for unauthorized access to device functionality. The vulnerability specifically affects the firmware versions mentioned, with Furbo 360 impacted up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074, indicating that these versions contain insecure implementations of service access controls that could allow unauthorized manipulation of device features.
The technical exploitation of this vulnerability occurs through local network access, which aligns with common attack patterns documented in the ATT&CK framework under network service scanning and lateral movement techniques. This limitation to local network access reduces the attack surface compared to remotely exploitable vulnerabilities, but it still represents a significant security risk for users who may have compromised local network access. The fact that the exploit is now public means that threat actors with local network access can potentially manipulate device functionality without requiring additional reconnaissance or specialized tools. This type of vulnerability typically maps to CWE-284, which describes improper access control in software implementations, and specifically relates to the improper enforcement of access permissions within Bluetooth service implementations.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential privacy breaches and device compromise. Pet owners who have compromised local network access could potentially manipulate device settings, access live video feeds, or control device functionality in ways that compromise both device security and user privacy. The vulnerability's presence in consumer IoT devices like pet cameras highlights the growing concern of insecure embedded systems in the Internet of Things ecosystem. The lack of vendor response to early disclosure attempts creates additional risk for users, as it suggests either insufficient security awareness within the vendor organization or potential delays in addressing the issue. This scenario reflects common challenges in IoT security where vendors may not prioritize vulnerabilities in legacy firmware versions or may lack proper vulnerability disclosure processes. The public availability of the exploit means that the window for remediation has closed for affected users, making immediate action through firmware updates or device replacement critical for maintaining security posture.