CVE-2025-11634 is a security vulnerability identified in the Tomofun Furbo 360 and Furbo Mini pet cameras, specifically related to their UART (Universal Asynchronous Receiver/Transmitter) interface. The UART interface is typically used for debugging and low-level communication with embedded devices. The vulnerability allows an attacker with physical access to the device to manipulate the UART interface to disclose sensitive information stored or processed by the device. The exact nature of the information disclosed is unspecified, but it could include device configuration, credentials, or other sensitive data. The affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was notified early but has not issued any response or patch, leaving the devices vulnerable. The CVSS 4.0 score is 2.4, reflecting a low severity primarily because exploitation requires physical access (Attack Vector: Physical) and no user interaction or privileges are needed. The exploit code has been publicly released, increasing the risk of exploitation by attackers with physical access. No known widespread exploitation has been reported yet. The vulnerability highlights risks in IoT devices that expose debug interfaces without adequate protection, potentially enabling attackers to bypass network-based security controls by directly accessing hardware interfaces.

For European organizations, the impact of this vulnerability is primarily related to confidentiality breaches due to information disclosure. Since the attack requires physical access, the threat is more significant in environments where devices are deployed in publicly accessible or unsecured locations, such as offices with open access, shared spaces, or retail environments. Disclosed information could facilitate further attacks, including device cloning, unauthorized access to the device’s network, or privacy violations involving recorded data. The lack of vendor response and patches increases the risk of prolonged exposure. Organizations relying on these devices for monitoring or security purposes may face reduced trustworthiness of the device and potential compliance issues under data protection regulations like GDPR if personal data is exposed. However, the low CVSS score and physical access requirement limit the overall impact to targeted attacks rather than large-scale remote exploitation.

1. Enforce strict physical security controls to prevent unauthorized access to devices, including secure mounting, locked enclosures, and restricted access areas. 2. Regularly audit device placement to ensure they are not accessible to untrusted personnel or visitors. 3. Monitor for signs of tampering or unauthorized physical access to devices. 4. If possible, disable or restrict UART interface access on the device hardware or firmware level, or cover UART ports physically to prevent easy access. 5. Maintain an inventory of all Furbo 360 and Furbo Mini devices deployed and track firmware versions to identify affected units. 6. Engage with the vendor or community for updates or unofficial patches and consider alternative devices if no vendor support is forthcoming. 7. For sensitive environments, consider isolating these devices on segmented networks to limit potential lateral movement if compromised. 8. Educate staff about the risks of physical tampering and the importance of reporting suspicious activity around IoT devices.