CVE-2025-11636 identifies a server-side request forgery (SSRF) vulnerability in the Tomofun Furbo 360 pet camera, specifically affecting firmware versions up to FB0035_FW_036. The vulnerability is located within the Account Handler component, which processes certain requests in a manner that allows an attacker to induce the device to make arbitrary HTTP requests to internal or external systems. SSRF vulnerabilities can be leveraged to bypass network restrictions, access internal services, or perform reconnaissance within a victim’s network. This particular SSRF can be triggered remotely without requiring authentication or user interaction, increasing its attack surface. However, the attack complexity is rated high, indicating that exploitation requires significant skill or specific conditions. The CVSS 4.0 vector (AV:N/AC:H/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X) reflects a network attack vector with high complexity, no privileges or user interaction needed, and low impacts on confidentiality, integrity, and availability. The vendor Tomofun was contacted early but did not respond, and no patches or known exploits are currently available. This leaves affected devices potentially exposed until a fix is released. The vulnerability’s exploitation could allow attackers to pivot within internal networks, access sensitive internal resources, or exfiltrate data indirectly by abusing the device’s network access. Given the nature of IoT devices like Furbo 360, which are often connected to home or small office networks, the risk extends to privacy violations and potential lateral movement in more complex environments.

For European organizations, the primary impact of this SSRF vulnerability lies in the potential for attackers to leverage compromised Furbo 360 devices as footholds within internal networks. This could lead to unauthorized access to internal services that are otherwise inaccessible from the internet, enabling reconnaissance or further exploitation. Although the direct impact on confidentiality, integrity, and availability is rated low to medium, the SSRF could serve as a stepping stone for more severe attacks, especially in environments where IoT devices are insufficiently segregated. Privacy concerns are also significant, as Furbo 360 devices are cameras used in personal and professional settings, potentially exposing sensitive video feeds or metadata. The medium CVSS score and high attack complexity reduce the immediate risk but do not eliminate it, particularly in high-value targets or environments with lax network segmentation. European organizations with Furbo 360 devices in use should consider this vulnerability a moderate threat that could facilitate lateral movement or data leakage if exploited.

1. Network Segmentation: Isolate Furbo 360 devices on dedicated VLANs or separate network segments to limit their access to critical internal systems. 2. Egress Filtering: Implement strict outbound firewall rules to restrict the device’s ability to make arbitrary external or internal HTTP requests, blocking suspicious destinations. 3. Monitoring and Logging: Deploy network monitoring solutions to detect anomalous outbound traffic patterns originating from Furbo 360 devices, focusing on unusual internal IP addresses or unexpected external endpoints. 4. Firmware Updates: Although no patch is currently available, maintain close communication with Tomofun for updates and apply firmware patches promptly once released. 5. Disable Unnecessary Features: Where possible, disable unused network services or features on the device to reduce attack surface. 6. Vendor Engagement: Encourage Tomofun to respond to vulnerability disclosures and provide timely fixes. 7. User Awareness: Inform users about the risks of IoT devices and encourage secure configuration and placement of such devices within the network. 8. Incident Response Preparedness: Prepare to isolate or remove affected devices quickly if suspicious activity is detected.