CVE-2025-11638 identifies a denial of service (DoS) vulnerability in the Tomofun Furbo 360 and Furbo Mini pet cameras, specifically within an undisclosed function of the Bluetooth Handler component. The flaw allows an unauthenticated attacker with local network access to manipulate the Bluetooth Handler, causing the device to crash or become unresponsive, effectively denying service. The affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The attack does not require any privileges or user interaction, and no confidentiality, integrity, or availability beyond device availability is impacted. The vendor was notified early but has not issued any response or patches, leaving devices vulnerable. The vulnerability’s CVSS 4.0 score is 5.3, reflecting a medium severity with attack vector limited to adjacent network (AV:A), low attack complexity (AC:L), and no privileges or user interaction required. No known exploits are currently in the wild. The technical details suggest the flaw resides in Bluetooth communication handling, which could be exploited by an attacker connected to the same local network, such as a compromised device or malicious actor within Wi-Fi range. This vulnerability primarily impacts device availability, potentially disrupting pet monitoring and related functionalities. The lack of vendor response and patch availability increases the risk of exploitation over time.

For European organizations and consumers using Tomofun Furbo 360 and Furbo Mini devices, this vulnerability could lead to temporary denial of service, disrupting pet monitoring and related smart home functions. While the impact on critical business operations is limited, organizations relying on these devices for pet care or security could experience inconvenience or reduced situational awareness. The requirement for local network access limits remote exploitation but raises concerns in environments with weak network segmentation or guest Wi-Fi access. In office or residential settings where multiple users share network access, an attacker could exploit this flaw to disrupt device availability. The absence of vendor patches prolongs exposure, increasing the window for potential attacks. Although no data confidentiality or integrity compromise is reported, the denial of service could be used as part of a broader attack strategy to distract or degrade security monitoring. European entities with smart home adoption, especially in countries with high IoT device penetration, may see more frequent exploitation attempts. Overall, the impact is moderate but relevant for environments where device availability is important.

1. Network Segmentation: Isolate IoT devices like Furbo cameras on separate VLANs or guest networks to limit local network access from untrusted devices. 2. Restrict Bluetooth Access: Disable or limit Bluetooth connectivity on the network where possible, or use Bluetooth security controls to prevent unauthorized pairing or communication. 3. Monitor Network Traffic: Implement network monitoring to detect unusual Bluetooth or device communication patterns that may indicate exploitation attempts. 4. Access Controls: Enforce strong Wi-Fi access controls, including WPA3 where supported, and restrict guest network access to prevent unauthorized local network presence. 5. Device Hardening: Regularly check for firmware updates from the vendor and apply patches promptly once available. 6. Incident Response: Prepare to respond to device outages by having backup monitoring methods or alternative devices. 7. User Awareness: Educate users about the risks of connecting unknown devices to the local network and encourage secure network practices. 8. Vendor Engagement: Continue attempts to engage the vendor for patch release or mitigation guidance, and consider reporting to relevant cybersecurity authorities if the vendor remains unresponsive.