The vulnerability identified as CVE-2025-11639 affects the Tomofun Furbo 360 and Furbo Mini pet cameras, specifically in the component responsible for managing debug logs stored in an Amazon S3 bucket. The issue resides in the collect_logs.sh script, which handles debug log collection and storage. Due to insecure handling within this script, sensitive information is stored improperly, potentially exposing it to unauthorized local users. The attack vector requires local access to the device, meaning an attacker must already have some level of access to the device's operating environment. The vulnerability does not require user interaction or elevated privileges beyond local access, making it easier to exploit once local access is obtained. The affected firmware versions include Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor, Tomofun, was contacted early about this issue but did not respond or provide patches. The CVSS 4.0 base score is 4.8, reflecting a medium severity primarily due to the local attack vector and limited impact on integrity and availability. No known exploits have been reported in the wild, but the insecure storage of sensitive data could lead to confidentiality breaches if an attacker gains local access. This vulnerability highlights the risks associated with IoT devices that handle sensitive user data but lack robust security controls for local access and data storage.

For European organizations, the primary impact of this vulnerability lies in the potential exposure of sensitive information stored on Furbo 360 and Furbo Mini devices. These devices are commonly used in private homes but may also be present in office environments for pet monitoring. If an attacker gains local access—through physical access or compromised internal networks—they could retrieve sensitive debug logs containing private user data or device information. This could lead to privacy violations, data leakage, and potential further compromise if the logs contain credentials or network details. Although the vulnerability does not directly affect device availability or integrity, the confidentiality impact is significant, especially under GDPR regulations that mandate protection of personal data. Organizations using these devices should consider the risk of insider threats or unauthorized physical access. The lack of vendor response and patches increases the risk exposure duration. While the attack requires local access, environments with weak physical security or insufficient network segmentation may be vulnerable. The impact is thus more pronounced in settings where these devices are deployed in sensitive or regulated environments.

1. Restrict physical access to Furbo 360 and Furbo Mini devices to trusted personnel only, minimizing the risk of local exploitation. 2. Implement network segmentation to isolate IoT devices from critical business networks, reducing the chance of attackers gaining local access remotely. 3. Monitor device logs and network traffic for unusual access patterns that could indicate attempts to exploit local vulnerabilities. 4. If possible, disable debug logging features or restrict access to the debug log storage locations to prevent unauthorized data retrieval. 5. Regularly audit firmware versions and device configurations to identify affected devices and prepare for future patches. 6. Engage with Tomofun support channels persistently to request security updates or official patches. 7. Consider replacing vulnerable devices with alternatives that have stronger security postures if mitigation is not feasible. 8. Educate staff about the risks of local device access and enforce policies to prevent unauthorized physical or network access to IoT devices.