The vulnerability identified as CVE-2025-11639 affects Tomofun Furbo 360 and Furbo Mini smart pet cameras. It arises from insecure storage of sensitive information within the collect_logs.sh script, which is part of the Debug Log S3 Bucket Handler component. This script likely handles log collection and uploads to an S3 bucket, but due to improper handling, sensitive data such as credentials, tokens, or other private information may be stored in an insecure manner on the device. Exploitation requires local access with low privileges, meaning an attacker must have physical or local network access to the device but does not require elevated privileges or user interaction. The affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted but has not responded or issued a patch, leaving the vulnerability unmitigated. The CVSS 4.0 vector indicates low attack complexity and no user interaction, but limited impact on confidentiality and no impact on integrity or availability. No known exploits are currently in the wild. The vulnerability primarily threatens confidentiality by exposing sensitive data stored insecurely, which could be leveraged for further attacks or privacy violations. Given the local access requirement, remote exploitation is not feasible, limiting the scope but still posing a risk in environments where device access is not tightly controlled.

For European organizations, the primary impact is the potential exposure of sensitive information stored insecurely on Furbo devices. This could include authentication credentials, tokens, or other private data that, if accessed, might allow attackers to compromise device functionality or privacy. Organizations using these devices in offices, pet care facilities, or homes where employees or visitors have physical access could face confidentiality breaches. Although the vulnerability does not affect device integrity or availability, the exposure of sensitive data could lead to privacy violations, reputational damage, or facilitate lateral movement in a network if attackers leverage the information to escalate access. The local access requirement reduces the risk of widespread remote attacks but increases the importance of physical security and access controls. The lack of vendor response and patches means organizations must rely on compensating controls until a fix is available. The impact is more pronounced in environments with weak physical security or where devices are deployed in shared or public spaces.

1. Restrict physical and local network access to Furbo 360 and Furbo Mini devices to trusted personnel only. 2. Implement strict access control policies and monitor for unauthorized access attempts to these devices. 3. Disable or limit debug logging features if possible to reduce sensitive data exposure. 4. Regularly audit device configurations and stored data to detect insecure storage of sensitive information. 5. Network segmentation should be applied to isolate these devices from critical infrastructure and sensitive networks. 6. Maintain up-to-date inventories of deployed devices and firmware versions to identify affected units. 7. Engage with the vendor periodically for updates or patches and apply them promptly once available. 8. Consider replacing affected devices with alternatives that have better security postures if mitigation is not feasible. 9. Educate staff about the risks of local device access and enforce policies to prevent unauthorized physical interaction. 10. Use endpoint detection and response tools to monitor for suspicious activities related to these devices.