CVE-2025-11638 is a vulnerability identified in the Bluetooth Handler component of Tomofun's Furbo 360 and Furbo Mini pet cameras. The exact function affected is unspecified, but the flaw allows an attacker with local network access to manipulate the device in a way that causes a denial of service (DoS). This DoS condition likely disrupts the normal operation of the device, rendering it unresponsive or inoperable, which impacts availability. The vulnerability does not require any authentication, user interaction, or elevated privileges, making it relatively easy to exploit for an attacker already on the same local network segment. The affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor Tomofun was contacted early regarding this issue but has not provided any response or patches, indicating a lack of official remediation at this time. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the limited attack vector (local network only) but ease of exploitation and impact on availability. No known exploits have been reported in the wild, but the vulnerability could be leveraged in environments where local network access is possible, such as home or small office networks. The Bluetooth Handler component suggests that the attack may involve malformed or malicious Bluetooth packets or commands, causing the device to crash or become unresponsive. This vulnerability highlights the risks of IoT devices with insufficient network access controls and unpatched firmware.

The primary impact of CVE-2025-11638 is denial of service, which affects the availability of Furbo 360 and Furbo Mini pet cameras. For European organizations or households using these devices, this could mean loss of real-time pet monitoring capabilities, potentially causing inconvenience or safety concerns for pets. In corporate or managed environments where these devices might be used for pet care or monitoring, the disruption could affect employee satisfaction or trust in IoT device reliability. Since exploitation requires local network access, environments with weak network segmentation or guest network controls are at higher risk. The lack of vendor response and patches increases the window of exposure. While confidentiality and integrity are not directly impacted, the availability disruption could be leveraged as part of a broader attack strategy to cause distraction or reduce situational awareness. European organizations with IoT deployments should consider this vulnerability in their risk assessments, especially in countries with high consumer IoT adoption and pet ownership. The impact is moderate but could escalate if combined with other vulnerabilities or attack vectors.

To mitigate CVE-2025-11638, organizations and users should implement strict network segmentation to isolate IoT devices like Furbo cameras from critical business or personal networks. Limit Bluetooth and local network access to trusted devices only, using MAC address filtering and strong Wi-Fi security protocols (WPA3 where possible). Disable unnecessary Bluetooth functionality if not required for device operation. Monitor network traffic for unusual Bluetooth or local network activity targeting these devices. Regularly check for firmware updates from Tomofun or community sources, and apply patches promptly once available. Consider using network access control (NAC) solutions to restrict device connectivity. If possible, deploy intrusion detection systems (IDS) tuned to detect anomalous Bluetooth or IoT device behavior. Educate users about the risks of connecting IoT devices to unsecured or public networks. In environments where these devices are critical, have fallback monitoring solutions to maintain pet safety during outages. Engage with Tomofun support channels to encourage vendor responsiveness and patch development.