Skip to main content

Tomofun Furbo Mobile App CVE-2025-11645

LOW
Information Exposure (CWE-200)
2025-10-12 cna@vuldb.com
0.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
0.9 LOW
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:17 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Insecure storage of authentication tokens in Tomofun Furbo Mobile App for Android up to version 7.57.0a allows local attackers with physical device access to extract sensitive credential information from the device storage. The vulnerability affects the Authentication Token Handler component and has been publicly disclosed with exploit details available. Despite early vendor contact, no patch or remediation response has been provided by Tomofun.

Technical ContextAI

The vulnerability resides in the Authentication Token Handler component of the Furbo Android application, which fails to implement secure storage mechanisms for sensitive authentication credentials. Rather than using Android's secure storage APIs (such as Android Keystore or EncryptedSharedPreferences), the application stores authentication tokens in plaintext or weakly protected storage locations accessible to local processes. This is a violation of CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where sensitive data is inadequately protected against unauthorized access. The attack surface is limited to physical or adb-accessible devices, but the consequence is complete exposure of session tokens and authentication material.

Affected ProductsAI

Tomofun Furbo Mobile App for Android, versions up to and including 7.57.0a (CPE data not provided in source material). The vulnerability specifically impacts the Authentication Token Handler component. The affected version range suggests the vulnerability may persist in later releases given the vendor's documented non-response to disclosure.

RemediationAI

Primary remediation requires Tomofun to release a patched version that implements secure storage for authentication tokens using Android Keystore System or EncryptedSharedPreferences. At present, no vendor-released patch has been identified or confirmed. Users should immediately update to any version newer than 7.57.0a if available, though patch status from Tomofun is unconfirmed. As a compensating control pending vendor patching, users should enable device-level security measures: enable device lock screen with strong PIN/biometric, disable USB debugging when not in active use, use a Mobile Device Management (MDM) solution to enforce encryption if deployed in enterprise contexts, and consider revoking Furbo app permissions and re-authenticating through a secure browser session after updating. Device owners should assume that anyone with physical access to an unlocked device can extract stored authentication tokens and should monitor Furbo account activity and linked camera access logs for suspicious access patterns. The GitHub advisory at https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md contains technical details of the insecure storage mechanism.

Share

CVE-2025-11645 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy