| Title | Tomofun Furbo 360, Furbo Mini Furbo 360 (≤ FB0035_FW_036), Furbo Mini (≤ MC0020_FW_074) Insertion of Sensitive Information into Log File |
|---|
| Description | An attacker who is connected to the UART interface of the Furbo 360 device can observe the Firmware URL and the SecretKey, as well as the DeviceToken and DeviceId values. Using the firmware and SecretKey, the attacker can retrieve and decrypt the firmware files. With the DeviceToken and DeviceId values, they can impersonate the device and upload malicious files to a debug server used by Tomofun support. |
|---|
| User | jTag Labs (UID 51246) |
|---|
| Submission | 09/23/2025 19:09 (7 months ago) |
|---|
| Moderation | 10/11/2025 20:33 (18 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 328045 [Tomofun Furbo 360/Furbo Mini UART Interface information disclosure] |
|---|
| Points | 16 |
|---|