Furbo Mini Firmware
Monthly
Weak cryptographic hash implementation in Tomofun Furbo 360 and Furbo Mini firmware allows local attackers with low privileges to compromise password security through use of insecure encryption algorithms in the password handler. The vulnerability affects Furbo 360 up to firmware version FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Publicly available exploit code exists, though real-world exploitation requires physical device access and high technical complexity.
A vulnerability was found in Tomofun Furbo 360 and Furbo Mini. The affected element is an unknown function of the component Root Account Handler. Performing manipulation results in use of hard-coded password. The attack must be initiated from a local position. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been made public and could be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
Server-side request forgery in Tomofun Furbo 360 and Furbo Mini dog cameras allows remote attackers to manipulate the TF_FQDN.json configuration file via the GATT Interface URL Handler, enabling arbitrary internal network requests with low confidentiality and integrity impact. Affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Publicly available exploit code exists, though the attack requires high complexity and is not actively exploited at scale per EPSS data (0.06%, percentile 18%).
Information disclosure vulnerability in Tomofun Furbo 360 and Furbo Mini dog cameras allows local network attackers to extract sensitive DeviceToken data via manipulation of GATT Service arguments. The attack requires high technical complexity and adjacency to the target network. Publicly available exploit code exists; however, the extremely low EPSS score (0.03%) and requirement for local network access and high attack complexity suggest limited real-world exploitation likelihood despite POC availability.
Improper access controls in the GATT Service of Tomofun Furbo 360 and Furbo Mini dog cameras allow local network attackers to disclose sensitive information without authentication. Affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Publicly available exploit code exists, though the low CVSS score of 2.1 and minimal EPSS (0.03%) reflect the local network-only attack vector and information disclosure impact.
Insecure storage of sensitive information in Tomofun Furbo 360 and Furbo Mini dog cameras via UART interface allows physical attackers to extract unencrypted credentials and private data from firmware versions Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vulnerability requires physical device access and high technical complexity but publicly available exploit code exists. Vendor did not respond to early disclosure notification.
Weak cryptographic hash implementation in Tomofun Furbo 360 and Furbo Mini firmware allows local attackers with low privileges to compromise password security through use of insecure encryption algorithms in the password handler. The vulnerability affects Furbo 360 up to firmware version FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Publicly available exploit code exists, though real-world exploitation requires physical device access and high technical complexity.
A vulnerability was found in Tomofun Furbo 360 and Furbo Mini. The affected element is an unknown function of the component Root Account Handler. Performing manipulation results in use of hard-coded password. The attack must be initiated from a local position. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been made public and could be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
Server-side request forgery in Tomofun Furbo 360 and Furbo Mini dog cameras allows remote attackers to manipulate the TF_FQDN.json configuration file via the GATT Interface URL Handler, enabling arbitrary internal network requests with low confidentiality and integrity impact. Affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Publicly available exploit code exists, though the attack requires high complexity and is not actively exploited at scale per EPSS data (0.06%, percentile 18%).
Information disclosure vulnerability in Tomofun Furbo 360 and Furbo Mini dog cameras allows local network attackers to extract sensitive DeviceToken data via manipulation of GATT Service arguments. The attack requires high technical complexity and adjacency to the target network. Publicly available exploit code exists; however, the extremely low EPSS score (0.03%) and requirement for local network access and high attack complexity suggest limited real-world exploitation likelihood despite POC availability.
Improper access controls in the GATT Service of Tomofun Furbo 360 and Furbo Mini dog cameras allow local network attackers to disclose sensitive information without authentication. Affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Publicly available exploit code exists, though the low CVSS score of 2.1 and minimal EPSS (0.03%) reflect the local network-only attack vector and information disclosure impact.
Insecure storage of sensitive information in Tomofun Furbo 360 and Furbo Mini dog cameras via UART interface allows physical attackers to extract unencrypted credentials and private data from firmware versions Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vulnerability requires physical device access and high technical complexity but publicly available exploit code exists. Vendor did not respond to early disclosure notification.