CVE-2025-11640 identifies a security vulnerability in the Tomofun Furbo 360 and Furbo Mini pet cameras, specifically related to their Bluetooth Low Energy (BLE) component. The flaw causes sensitive information to be transmitted in cleartext over BLE, exposing it to interception by attackers with local network access. The exact nature of the sensitive data is unspecified, but could include authentication tokens, device identifiers, or user-related information. Exploiting this vulnerability requires the attacker to be on the same local network as the device, which limits remote exploitation. The attack complexity is high due to the need for proximity and technical skill to intercept and decode BLE communications. Firmware versions up to FB0035_FW_036 for Furbo 360 and MC0020_FW_074 for Furbo Mini are affected. The vendor was notified but did not respond or provide patches, leaving devices exposed. The CVSS 4.0 base score is 2.3, reflecting low impact and difficult exploitability. There are no known exploits in the wild, and no user interaction or authentication is required to exploit the vulnerability, but the attacker must have local network access. This vulnerability primarily threatens confidentiality, with no direct impact on integrity or availability reported.

For European organizations, the primary impact of CVE-2025-11640 is the potential exposure of sensitive information transmitted by Furbo devices within local networks. While the vulnerability does not allow remote exploitation or direct control of the device, interception of cleartext BLE transmissions could lead to privacy breaches, including leakage of user data or device metadata. Organizations with smart office environments or employees using Furbo devices at home connected to corporate VPNs may face increased risk. The requirement for local network access limits the threat to attackers who have already penetrated internal networks or are physically nearby. The low severity score indicates limited risk to critical infrastructure or business operations. However, privacy regulations such as GDPR impose strict requirements on protecting personal data, so any leakage could have compliance implications. The lack of vendor response and patches prolongs exposure, necessitating proactive mitigation by affected organizations.

To mitigate CVE-2025-11640, European organizations should implement specific controls beyond generic advice: 1) Segment networks to isolate IoT and smart home devices from critical business systems, reducing the risk of lateral movement by attackers. 2) Disable Bluetooth Low Energy functionality on Furbo devices if not required, or restrict BLE communication range using physical controls. 3) Monitor local network traffic for unusual BLE activity or unauthorized devices attempting to intercept communications. 4) Encourage users to update to the latest firmware if and when vendor patches become available, and maintain communication with the vendor for updates. 5) Employ strong Wi-Fi security measures (WPA3, strong passwords) to prevent unauthorized local network access. 6) Educate users about the risks of connecting IoT devices to corporate networks or VPNs. 7) Consider replacing affected devices with alternatives that have better security postures if mitigation is not feasible. These steps help reduce the attack surface and limit the potential for sensitive data exposure.