Tomofun Furbo 360 and Furbo Mini CVE-2025-11646
LOWSeverity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in Tomofun Furbo 360 and Furbo Mini. This vulnerability affects unknown code of the component GATT Service. The manipulation results in improper access controls. The attack can only be performed from the local network. The exploit is now public and may be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper access controls in the GATT Service of Tomofun Furbo 360 and Furbo Mini dog cameras allow local network attackers to disclose sensitive information without authentication. Affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Publicly available exploit code exists, though the low CVSS score of 2.1 and minimal EPSS (0.03%) reflect the local network-only attack vector and information disclosure impact.
Technical ContextAI
The vulnerability exists in the GATT (Generic Attribute Profile) Service, a Bluetooth low-energy protocol component used for wireless device communication. The root cause is classified as CWE-266 (Improper Privilege Management), indicating that the GATT Service fails to enforce proper access controls on sensitive operations or data. The affected products are Bluetooth-enabled pet cameras with firmware implementations that expose protected attributes via the GATT interface without requiring proper authentication or authorization checks. The public disclosure references information disclosure related to P2P UUID extraction, suggesting the vulnerability allows unauthorized retrieval of device identifiers or connection parameters used for peer-to-peer functionality.
RemediationAI
No vendor-released patched firmware versions have been confirmed at time of analysis. The vendor (Tomofun) was reportedly contacted early but did not respond. Until a firmware update is available, implement the following mitigations: (1) Restrict Bluetooth/BLE access to the devices by disabling BLE pairing or limiting pairing to trusted devices only - side effect is reduced functionality for mobile app connections; (2) Isolate pet cameras on a segregated network segment separate from sensitive systems and personal devices - this prevents adjacent-network attackers from reaching the GATT Service; (3) Monitor for unauthorized Bluetooth connections to the devices using OS-level Bluetooth activity logs. Users should monitor Tomofun's support channels or GitHub repositories (referenced in disclosures) for eventual firmware updates and apply them immediately upon availability. Contact Tomofun support to request an estimated patch timeline if devices are in critical environments.
Share
External POC / Exploit Code
Leaving vuln.today