CVE-2025-11633 identifies a vulnerability in the Tomofun Furbo 360 and Furbo Mini smart pet cameras, specifically within an unspecified functionality of the HTTP Traffic Handler component. The issue stems from improper certificate validation, which can allow an attacker to perform man-in-the-middle (MitM) attacks by intercepting or manipulating HTTPS traffic between the device and its backend services. The vulnerability is exploitable remotely without requiring authentication or user interaction, but the attack complexity is high, indicating that exploitation requires significant skill or specific conditions. The affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, no privileges or user interaction needed, but high complexity and limited impact on confidentiality (low impact on integrity and availability). No known exploits have been reported in the wild, and the vendor has not responded to disclosure attempts, nor have patches been released. This vulnerability could allow attackers to bypass TLS protections, potentially leading to data interception or injection of malicious content, undermining the confidentiality and integrity of communications. Given the device's role in home security and privacy, this vulnerability poses a risk to user data and trust in the device's security.

For European organizations and consumers using Tomofun Furbo devices, this vulnerability could compromise the confidentiality and integrity of data transmitted by these smart cameras. Although the direct impact on critical infrastructure is limited, the devices often reside in home or office environments where sensitive audio and video data are captured. Exploitation could lead to unauthorized surveillance or data leakage. Privacy regulations such as GDPR increase the stakes for organizations if personal data is compromised. The lack of vendor response and patch availability prolongs exposure, increasing risk over time. Additionally, attackers could leverage this vulnerability as a foothold to pivot into broader network environments if devices are connected to corporate networks. The medium severity and high attack complexity reduce the likelihood of widespread exploitation but do not eliminate risk, especially in targeted attacks against high-value individuals or organizations. European entities with smart office or home automation deployments should consider this vulnerability in their risk assessments.

Since no patches are currently available, European organizations and users should implement compensating controls. First, isolate Furbo devices on separate network segments or VLANs to limit lateral movement and exposure to sensitive systems. Employ strict firewall rules to restrict outbound and inbound traffic to only trusted endpoints associated with Tomofun services. Monitor network traffic for unusual patterns or unexpected certificate anomalies that could indicate MitM attempts. Disable remote access features if not required, and avoid connecting these devices directly to corporate networks. Where possible, use network-level TLS inspection tools to detect improper certificate validation attempts. Maintain an inventory of affected devices and firmware versions to prioritize mitigation efforts. Engage with Tomofun for updates and monitor security advisories for patch releases. Finally, educate users about the risks of using vulnerable IoT devices in sensitive environments.