CVE-2025-11635 identifies a resource consumption vulnerability in the Tomofun Furbo 360 pet camera, specifically in the file upload component of firmware version FB0035_FW_036. The vulnerability allows an unauthenticated remote attacker to manipulate the file upload functionality to cause excessive resource consumption, potentially leading to denial of service conditions. The exact code path and technical details of the flaw remain unspecified, but the impact is primarily on device availability due to resource exhaustion. The vulnerability does not require user interaction or privileges, making it easier to exploit remotely over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VA:L). The vendor Tomofun has not responded to the vulnerability disclosure, and no patches or mitigations have been provided at this time. The Furbo 360 is a consumer IoT device used primarily for pet monitoring, which may be deployed in homes and small businesses. Exploitation could disrupt device functionality, potentially impacting users relying on the device for pet care monitoring. Although no known exploits are currently in the wild, the vulnerability’s characteristics make it a candidate for denial of service attacks. The lack of vendor response and patch availability increases the urgency for defensive measures at the network and operational levels.

For European organizations and consumers using the Tomofun Furbo 360, this vulnerability could lead to denial of service conditions, rendering the device unavailable for pet monitoring. While the direct impact on critical infrastructure is limited due to the device’s consumer focus, disruption could affect small businesses or services relying on pet monitoring technology. The resource exhaustion could also be leveraged as part of a larger attack to cause network congestion or to distract security teams. The absence of authentication requirements and user interaction lowers the barrier for attackers, increasing the risk of widespread exploitation if automated attacks emerge. The medium CVSS score reflects moderate impact, but the lack of patching and vendor engagement elevates operational risk. European users may experience privacy concerns if devices become unresponsive or require resets, potentially interrupting pet care routines. Additionally, compromised devices could be co-opted into botnets, indirectly impacting broader network security within European networks.

1. Network Segmentation: Isolate Furbo 360 devices on separate VLANs or network segments to limit potential lateral movement or impact on critical systems. 2. Access Controls: Restrict inbound network access to the devices, allowing only trusted IP addresses or internal network segments to communicate with the Furbo 360. 3. Traffic Monitoring: Deploy network monitoring tools to detect unusual file upload activity or spikes in resource consumption indicative of exploitation attempts. 4. Device Hardening: Disable unnecessary services and features on the device if configurable, reducing the attack surface. 5. Firmware Updates: Regularly check for firmware updates from Tomofun and apply patches promptly once available. 6. Incident Response: Prepare procedures for rapid device reset or replacement if exploitation is detected. 7. Vendor Engagement: Continue efforts to engage Tomofun for official patches or advisories. 8. User Awareness: Educate users on the risks and encourage reporting of device malfunctions or unusual behavior. 9. Use of Network Intrusion Prevention Systems (IPS): Configure IPS signatures to detect and block suspicious file upload patterns targeting the Furbo 360. 10. Limit Exposure: Avoid exposing the device directly to the internet; use VPNs or secure tunnels if remote access is necessary.