Furbo 360 and Furbo Mini CVE-2025-11648
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in Tomofun Furbo 360 and Furbo Mini. Impacted is an unknown function of the file TF_FQDN.json of the component GATT Interface URL Handler. Such manipulation leads to server-side request forgery. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is considered difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery in Tomofun Furbo 360 and Furbo Mini dog cameras allows remote attackers to manipulate the TF_FQDN.json configuration file via the GATT Interface URL Handler, enabling arbitrary internal network requests with low confidentiality and integrity impact. Affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Publicly available exploit code exists, though the attack requires high complexity and is not actively exploited at scale per EPSS data (0.06%, percentile 18%).
Technical ContextAI
This vulnerability exploits server-side request forgery (SSRF, CWE-918) in the GATT Interface URL Handler component of Furbo pet cameras. GATT (Generic Attribute Profile) is a Bluetooth Low Energy protocol used for device-to-device communication. The vulnerability allows manipulation of the TF_FQDN.json configuration file, which likely contains FQDN (Fully Qualified Domain Name) settings used by the device for API calls or firmware updates. By injecting malicious URLs into this configuration via BLE, an attacker can force the device to make HTTP/HTTPS requests to attacker-controlled or internal network destinations, potentially exfiltrating data or interacting with backend services. Affected products: Furbo 360 (cpe:2.3:o:furbo:furbo_360_dog_camera_firmware:*:*:*:*:*:*:*:*) and Furbo Mini (cpe:2.3:o:furbo:furbo_mini_firmware:*:*:*:*:*:*:*:*).
RemediationAI
No vendor-released patch has been identified at time of analysis; Tomofun did not respond to early disclosure notification. Users should implement the following mitigations: (1) Restrict BLE connectivity to authorized devices only by disabling Bluetooth when not actively using the camera's mobile app - this eliminates the attack vector at the cost of losing remote Bluetooth features. (2) Network segmentation: isolate the camera to a separate VLAN or guest network with egress filtering to limit the impact of SSRF requests; this reduces data exfiltration risk but does not prevent the SSRF itself. (3) Monitor firmware update channels for any future security releases from Tomofun. (4) Users seeking immediate remediation should contact Tomofun support directly or consider replacing the device with an alternative that receives active security maintenance. Exploit code published on GitHub (https://github.com/dead1nfluence/Furbo-Advisories/blob/main/SSRF-via-BLE.md) demonstrates the BLE-based attack method.
Share
External POC / Exploit Code
Leaving vuln.today