Tomofun Furbo 360/Furbo Mini Trial Restriction access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.7 | $0-$5k | 0.15 |
Summary
A vulnerability was found in Tomofun Furbo 360 and Furbo Mini and classified as problematic. Affected is an unknown function of the component Trial Restriction Handler. Such manipulation leads to access control. This vulnerability is uniquely identified as CVE-2025-11641. The attack can be executed directly on the physical device. Moreover, an exploit is present. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
Details
A vulnerability, which was classified as problematic, has been found in Tomofun Furbo 360 and Furbo Mini (Firmware Software) (the affected version is unknown). Affected by this issue is an unknown code of the component Trial Restriction Handler. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.
The bug was discovered 05/15/2025. The weakness was disclosed by Calvin Star, Julian B (skelet4r and dead1nfluence) with Software Secured. This vulnerability allows an attacker with physical access to the device to bypass trial restrictions by modifying the device's MAC address. Each time the MAC address on the device is changed a new corresponding DeviceID is assigned to the Furbo which results in a fresh 30-day premium trial being assigned to the device during the registration process. This effectively grants unlimited access to premium features for the Furbo device. This vulnerability is handled as CVE-2025-11641. The exploitation is known to be difficult. The attack needs to be approached locally. No form of authentication is required for exploitation. Technical details are unknown but a private exploit is available. The MITRE ATT&CK project declares the attack technique as T1068.
A private exploit has been developed by Calvin Star (Skelet4r) in Bash. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 149 days. During that time the estimated underground price was around . The vendor was contacted early about this disclosure but did not respond in any way. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Replication Steps: 1. Modify the factory config file located in /mnt/hw/factory.json to include the MAC address and BTMAC address 2. Change the MAC address specified within the factory.json file 3. Remove the device configuration file located in /mnt/flash/furbo/setup_info.json 4. Reboot the Furbo 5. Complete the registration process of the Furbo in the mobile app
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-33905). Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CNA CVSS-B Score: 🔒
CNA CVSS-BT Score: 🔒
CNA Vector: 🔒
CVSSv3
VulDB Meta Base Score: 4.7VulDB Meta Temp Score: 4.7
VulDB Base Score: 3.9
VulDB Temp Score: 3.7
VulDB Vector: 🔒
VulDB Reliability: 🔍
NVD Base Score: 6.4
NVD Vector: 🔒
CNA Base Score: 3.9
CNA Vector: 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Access controlCWE: CWE-284 / CWE-266
CAPEC: 🔒
ATT&CK: 🔒
Physical: Yes
Local: Yes
Remote: No
Availability: 🔒
Access: Private
Status: Proof-of-Concept
Author: Calvin Star (Skelet4r)
Programming Language: 🔒
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔒
Timeline
05/15/2025 Vulnerability found06/21/2025 Vendor informed
07/03/2025 Vendor acknowledged
10/11/2025 Advisory disclosed
10/11/2025 VulDB entry created
10/31/2025 VulDB entry last update
Sources
Researcher: Calvin Star, Julian B (skelet4r, dead1nfluence)Organization: Software Secured
Status: Not defined
CVE: CVE-2025-11641 (🔒)
GCVE (CVE): GCVE-0-2025-11641
GCVE (VulDB): GCVE-100-328052
EUVD: 🔒
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 10/11/2025 20:38Updated: 10/31/2025 05:43
Changes: 10/11/2025 20:38 (51), 10/12/2025 21:38 (1), 10/12/2025 23:14 (29), 10/17/2025 07:50 (2), 10/17/2025 07:51 (17), 10/17/2025 07:54 (5), 10/31/2025 05:43 (12)
Complete: 🔍
Submitter: jTag Labs
Committer: jTag Labs
Cache ID: 216:599:103
Submit
Accepted
- Submit #661379: Tomofun Furbo 360, Furbo Mini Furbo 360 (≤ FB0035_FW_036), Furbo Mini (≤ MC0020_FW_074) Application Logic Bypass (by jTag Labs)
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.