CVE-2025-11636 is a server-side request forgery (SSRF) vulnerability identified in the Tomofun Furbo 360 pet camera, specifically in firmware version FB0035_FW_036 and earlier. The vulnerability stems from improper handling within the Account Handler component, which processes certain requests in a way that allows an attacker to coerce the device into making arbitrary HTTP requests on its behalf. This SSRF flaw enables remote attackers to potentially access internal network resources or services that are otherwise inaccessible from the outside, bypassing network segmentation or firewall protections. The attack does not require authentication or user interaction but is characterized by high complexity, making exploitation difficult. The vulnerability has a CVSS 4.0 base score of 6.3, reflecting medium severity, with network attack vector, high attack complexity, and no privileges or user interaction required. The vendor, Tomofun, was contacted early about the issue but has not issued any response or patch, leaving devices vulnerable. No known exploits have been observed in the wild to date. The lack of patch availability necessitates alternative mitigation strategies. SSRF vulnerabilities in IoT devices like Furbo 360 are concerning because these devices often reside within home or enterprise networks, potentially providing attackers a foothold to pivot to other internal systems. The vulnerability impacts confidentiality and integrity by enabling unauthorized internal network reconnaissance or access. Availability impact is low as the flaw does not directly cause denial of service. Given the device's consumer focus, the risk is higher in environments where these cameras are connected to sensitive or corporate networks without proper isolation.

For European organizations, the primary impact of CVE-2025-11636 lies in the potential compromise of internal network security through the Furbo 360 device. If these IoT cameras are deployed within corporate or sensitive environments without adequate network segmentation, attackers exploiting this SSRF vulnerability could access internal services, potentially leading to data leakage or further lateral movement. Although the device is primarily consumer-focused, its increasing use in smart homes and possibly in small office environments means that sensitive information or systems could be indirectly exposed. The medium severity and high complexity reduce the likelihood of widespread exploitation, but targeted attacks against high-value networks remain a concern. Confidentiality and integrity of internal systems could be undermined, especially if the attacker leverages the SSRF to reach internal APIs, metadata services, or other protected resources. The absence of vendor patches increases exposure duration, emphasizing the need for proactive mitigation. The impact on availability is minimal as the vulnerability does not facilitate denial of service. Overall, European organizations should assess their network architecture to ensure that IoT devices like Furbo 360 do not provide an attack vector into critical infrastructure or sensitive data repositories.

1. Network Segmentation: Isolate Furbo 360 devices on a dedicated VLAN or subnet separate from critical business systems to limit potential lateral movement. 2. Firewall Rules: Implement strict egress filtering to restrict the device's outbound HTTP requests to only trusted destinations, preventing arbitrary SSRF exploitation. 3. Monitor Network Traffic: Deploy network monitoring tools to detect unusual outbound requests originating from Furbo 360 devices, which may indicate exploitation attempts. 4. Device Inventory and Management: Maintain an up-to-date inventory of all IoT devices, including Furbo 360 cameras, and track firmware versions to identify vulnerable units. 5. Vendor Engagement: Continue attempts to engage Tomofun for patch development and apply updates promptly once available. 6. Disable Unnecessary Features: If possible, disable remote access or account handler functionalities that are not essential to reduce attack surface. 7. User Awareness: Educate users about the risks of connecting IoT devices to corporate networks and encourage use in isolated environments. 8. Incident Response Preparedness: Develop and test incident response plans that include IoT device compromise scenarios. These measures go beyond generic advice by focusing on network architecture adjustments and active monitoring tailored to the specific nature of this SSRF vulnerability.