CVE-2025-11634 identifies an information disclosure vulnerability in the UART interface of Tomofun Furbo 360 and Furbo Mini smart pet cameras. The UART (Universal Asynchronous Receiver/Transmitter) interface is a hardware communication protocol often used for debugging or device management. The vulnerability allows an attacker with physical access to the device to manipulate the UART interface to extract sensitive information from the device. The exact nature of the disclosed information is unspecified but could include device configuration, firmware data, or other internal states. The flaw affects firmware versions Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Exploitation does not require authentication, user interaction, or network access, but physical access is mandatory, limiting the attack surface. The vendor was notified early but has not issued any response or patch, leaving devices vulnerable. The CVSS 4.0 vector indicates physical attack vector (AV:P), low attack complexity (AC:L), no privileges or user interaction required, and low impact on confidentiality. No known exploits have been reported in the wild, suggesting limited active exploitation. This vulnerability highlights risks in IoT devices where hardware interfaces may be overlooked in security design.

For European organizations, the impact of this vulnerability is generally low due to the requirement for physical access and the limited scope of information disclosure. However, in environments where Furbo devices are deployed in accessible locations—such as offices, retail spaces, or public areas—an attacker could potentially extract sensitive device information that might aid in further attacks or privacy violations. Organizations using these devices for monitoring or security purposes could face confidentiality risks if attackers gain insights into device internals. Additionally, the lack of vendor response and patches increases the risk of prolonged exposure. While the direct impact on critical infrastructure is minimal, organizations should consider the potential for this vulnerability to be leveraged as part of a broader attack chain, especially in environments with weak physical security controls.

To mitigate this vulnerability, European organizations should implement strict physical security controls to prevent unauthorized access to Furbo 360 and Furbo Mini devices. This includes placing devices in secure locations, using tamper-evident seals, and monitoring physical access logs where possible. Network segmentation should be applied to isolate IoT devices from critical systems, limiting the potential impact of any compromise. Organizations should also monitor for unusual device behavior or signs of tampering. Since no patches are available, consider disabling or restricting UART interfaces if feasible, or replacing affected devices with models that have addressed this vulnerability. Engage with the vendor for updates and advocate for timely security patches. Finally, incorporate this vulnerability into risk assessments and incident response plans to ensure preparedness.