CVE-2025-11640: Cleartext Transmission of Sensitive Information in Tomofun Furbo 360
A vulnerability was found in Tomofun Furbo 360 and Furbo Mini. This affects an unknown function of the component Bluetooth Low Energy. The manipulation results in cleartext transmission of sensitive information. Access to the local network is required for this attack. Attacks of this nature are highly complex. The exploitability is reported as difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
AI Analysis
Technical Summary
CVE-2025-11640 identifies a security vulnerability in the Tomofun Furbo 360 and Furbo Mini pet cameras, specifically related to their Bluetooth Low Energy (BLE) component. The flaw causes sensitive information to be transmitted in cleartext over BLE, exposing it to interception by attackers with local network access. The exact nature of the sensitive data is unspecified, but could include authentication tokens, device identifiers, or user-related information. Exploiting this vulnerability requires the attacker to be on the same local network as the device, which limits remote exploitation. The attack complexity is high due to the need for proximity and technical skill to intercept and decode BLE communications. Firmware versions up to FB0035_FW_036 for Furbo 360 and MC0020_FW_074 for Furbo Mini are affected. The vendor was notified but did not respond or provide patches, leaving devices exposed. The CVSS 4.0 base score is 2.3, reflecting low impact and difficult exploitability. There are no known exploits in the wild, and no user interaction or authentication is required to exploit the vulnerability, but the attacker must have local network access. This vulnerability primarily threatens confidentiality, with no direct impact on integrity or availability reported.
Potential Impact
For European organizations, the primary impact of CVE-2025-11640 is the potential exposure of sensitive information transmitted by Furbo devices within local networks. While the vulnerability does not allow remote exploitation or direct control of the device, interception of cleartext BLE transmissions could lead to privacy breaches, including leakage of user data or device metadata. Organizations with smart office environments or employees using Furbo devices at home connected to corporate VPNs may face increased risk. The requirement for local network access limits the threat to attackers who have already penetrated internal networks or are physically nearby. The low severity score indicates limited risk to critical infrastructure or business operations. However, privacy regulations such as GDPR impose strict requirements on protecting personal data, so any leakage could have compliance implications. The lack of vendor response and patches prolongs exposure, necessitating proactive mitigation by affected organizations.
Mitigation Recommendations
To mitigate CVE-2025-11640, European organizations should implement specific controls beyond generic advice: 1) Segment networks to isolate IoT and smart home devices from critical business systems, reducing the risk of lateral movement by attackers. 2) Disable Bluetooth Low Energy functionality on Furbo devices if not required, or restrict BLE communication range using physical controls. 3) Monitor local network traffic for unusual BLE activity or unauthorized devices attempting to intercept communications. 4) Encourage users to update to the latest firmware if and when vendor patches become available, and maintain communication with the vendor for updates. 5) Employ strong Wi-Fi security measures (WPA3, strong passwords) to prevent unauthorized local network access. 6) Educate users about the risks of connecting IoT devices to corporate networks or VPNs. 7) Consider replacing affected devices with alternatives that have better security postures if mitigation is not feasible. These steps help reduce the attack surface and limit the potential for sensitive data exposure.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Belgium
CVE-2025-11640: Cleartext Transmission of Sensitive Information in Tomofun Furbo 360
Description
A vulnerability was found in Tomofun Furbo 360 and Furbo Mini. This affects an unknown function of the component Bluetooth Low Energy. The manipulation results in cleartext transmission of sensitive information. Access to the local network is required for this attack. Attacks of this nature are highly complex. The exploitability is reported as difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
AI-Powered Analysis
Technical Analysis
CVE-2025-11640 identifies a security vulnerability in the Tomofun Furbo 360 and Furbo Mini pet cameras, specifically related to their Bluetooth Low Energy (BLE) component. The flaw causes sensitive information to be transmitted in cleartext over BLE, exposing it to interception by attackers with local network access. The exact nature of the sensitive data is unspecified, but could include authentication tokens, device identifiers, or user-related information. Exploiting this vulnerability requires the attacker to be on the same local network as the device, which limits remote exploitation. The attack complexity is high due to the need for proximity and technical skill to intercept and decode BLE communications. Firmware versions up to FB0035_FW_036 for Furbo 360 and MC0020_FW_074 for Furbo Mini are affected. The vendor was notified but did not respond or provide patches, leaving devices exposed. The CVSS 4.0 base score is 2.3, reflecting low impact and difficult exploitability. There are no known exploits in the wild, and no user interaction or authentication is required to exploit the vulnerability, but the attacker must have local network access. This vulnerability primarily threatens confidentiality, with no direct impact on integrity or availability reported.
Potential Impact
For European organizations, the primary impact of CVE-2025-11640 is the potential exposure of sensitive information transmitted by Furbo devices within local networks. While the vulnerability does not allow remote exploitation or direct control of the device, interception of cleartext BLE transmissions could lead to privacy breaches, including leakage of user data or device metadata. Organizations with smart office environments or employees using Furbo devices at home connected to corporate VPNs may face increased risk. The requirement for local network access limits the threat to attackers who have already penetrated internal networks or are physically nearby. The low severity score indicates limited risk to critical infrastructure or business operations. However, privacy regulations such as GDPR impose strict requirements on protecting personal data, so any leakage could have compliance implications. The lack of vendor response and patches prolongs exposure, necessitating proactive mitigation by affected organizations.
Mitigation Recommendations
To mitigate CVE-2025-11640, European organizations should implement specific controls beyond generic advice: 1) Segment networks to isolate IoT and smart home devices from critical business systems, reducing the risk of lateral movement by attackers. 2) Disable Bluetooth Low Energy functionality on Furbo devices if not required, or restrict BLE communication range using physical controls. 3) Monitor local network traffic for unusual BLE activity or unauthorized devices attempting to intercept communications. 4) Encourage users to update to the latest firmware if and when vendor patches become available, and maintain communication with the vendor for updates. 5) Employ strong Wi-Fi security measures (WPA3, strong passwords) to prevent unauthorized local network access. 6) Educate users about the risks of connecting IoT devices to corporate networks or VPNs. 7) Consider replacing affected devices with alternatives that have better security postures if mitigation is not feasible. These steps help reduce the attack surface and limit the potential for sensitive data exposure.
Affected Countries
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-10-11T18:32:40.332Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68ebf07242ddb1210bc1e905
Added to database: 10/12/2025, 6:16:18 PM
Last enriched: 10/19/2025, 6:31:46 PM
Last updated: 1/18/2026, 11:54:36 PM
Views: 113
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-23829: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in axllent mailpit
MediumCVE-2025-15539: Denial of Service in Open5GS
MediumCVE-2026-23733: CWE-94: Improper Control of Generation of Code ('Code Injection') in lobehub lobe-chat
MediumCVE-2025-15538: Use After Free in Open Asset Import Library Assimp
MediumCVE-2026-23644: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in esm-dev esm.sh
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.