CVE-2025-11635 identifies a resource consumption vulnerability in the Tomofun Furbo 360 pet camera, specifically affecting firmware versions up to FB0035_FW_036. The vulnerability resides in an unspecified portion of the file upload component, which can be manipulated remotely by attackers to consume excessive device resources such as CPU, memory, or storage. This resource exhaustion could degrade device performance or cause denial of service, potentially rendering the camera inoperable. The attack requires no user interaction or authentication, and can be executed remotely over the network, increasing the risk of exploitation. The vendor Tomofun was notified early but has not issued any patches or advisories, leaving devices exposed. The CVSS 4.0 base score is 5.3 (medium), reflecting the ease of remote exploitation but limited impact scope since the vulnerability primarily affects device availability rather than confidentiality or integrity. No known exploits have been reported in the wild to date. The lack of detailed technical information about the exact file upload flaw limits deeper analysis, but the threat vector suggests attackers could repeatedly upload crafted files or requests to overwhelm the device's processing capabilities. This vulnerability is particularly relevant for environments where Furbo 360 cameras are deployed at scale or integrated into smart home or pet monitoring systems.

For European organizations and consumers using Tomofun Furbo 360 devices, this vulnerability could lead to denial of service conditions, disrupting pet monitoring and related functionalities. In commercial or institutional settings such as veterinary clinics, pet care facilities, or smart home service providers, such disruptions could impact operational continuity and customer trust. Although the vulnerability does not directly compromise data confidentiality or integrity, loss of availability may cause indirect consequences such as missed alerts or inability to monitor pets remotely. The remote and unauthenticated nature of the exploit increases the risk of opportunistic attacks, especially in environments with exposed or poorly segmented networks. Given the vendor's lack of response, affected organizations may face prolonged exposure. The impact is more pronounced in countries with higher adoption rates of smart pet devices and connected home technologies, where the Furbo 360 is popular. Additionally, the vulnerability could be leveraged as part of broader attack campaigns targeting IoT devices to create botnets or conduct denial of service attacks on network infrastructure.

Since no official patch or firmware update is currently available from Tomofun, affected users and organizations should implement network-level mitigations. These include isolating Furbo 360 devices on segmented VLANs or dedicated IoT networks to limit exposure to untrusted networks. Employing firewall rules to restrict inbound traffic to the minimum necessary and monitoring network traffic for unusual file upload activity can help detect exploitation attempts. Disabling or restricting file upload functionality if configurable may reduce risk. Regularly auditing device firmware versions and subscribing to vendor or security advisories is critical to apply updates promptly once available. For enterprise environments, consider deploying intrusion detection systems (IDS) or intrusion prevention systems (IPS) with signatures targeting anomalous file upload patterns. Educating users about the risks and encouraging physical security of devices can also mitigate attack vectors. Finally, organizations should evaluate alternative pet monitoring solutions with stronger security postures if risk tolerance is low.