Furbo 360 and Furbo Mini CVE-2025-11647
LOWSeverity by source
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in Tomofun Furbo 360 and Furbo Mini. This issue affects some unknown processing of the component GATT Service. This manipulation of the argument DeviceToken causes information disclosure. The attack is only possible within the local network. A high degree of complexity is needed for the attack. The exploitability is assessed as difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Information disclosure vulnerability in Tomofun Furbo 360 and Furbo Mini dog cameras allows local network attackers to extract sensitive DeviceToken data via manipulation of GATT Service arguments. The attack requires high technical complexity and adjacency to the target network. Publicly available exploit code exists; however, the extremely low EPSS score (0.03%) and requirement for local network access and high attack complexity suggest limited real-world exploitation likelihood despite POC availability.
Technical ContextAI
The vulnerability resides in the Bluetooth Low Energy (BLE) GATT (Generic Attribute Profile) service implementation of Furbo smart pet cameras. GATT is a protocol for discovering services and characteristics over BLE connections. The flaw in the unknown processing component of the GATT Service allows attackers on the local network to manipulate the DeviceToken argument to trigger information disclosure. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) indicates that authentication mechanisms or access controls are insufficient to prevent token extraction. The affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074, with no patched versions released by the vendor.
RemediationAI
No vendor-released patch exists for this vulnerability. Primary mitigation requires network-level controls: restrict BLE device discovery and connection attempts to authorized devices only, implement network segmentation to isolate Furbo cameras on a dedicated IoT VLAN or separate wireless network with restricted inbound access, and disable Bluetooth connectivity if not actively required for the camera's intended functionality. If Bluetooth must remain enabled, restrict the SSID broadcast and use strong WiFi encryption (WPA3 preferred) to limit local network access. Alternatively, consider replacing affected Furbo models with pet cameras from vendors with active security maintenance and patch deployment histories. Monitor local network traffic for unauthorized BLE connections or DeviceToken exfiltration patterns. Users should review Tomofun's security advisories at https://vuldb.com/?ctiid.328058 for any future firmware updates, though the vendor's historical non-responsiveness suggests updates are unlikely.
Share
External POC / Exploit Code
Leaving vuln.today