CVE-2025-11641 identifies an improper access control vulnerability in the Tomofun Furbo 360 and Furbo Mini smart pet cameras, specifically within an unspecified function of the Trial Restriction Handler component. This vulnerability allows an attacker with physical access to the device to manipulate access controls, potentially bypassing restrictions intended by the firmware. The attack complexity is high, meaning it requires significant skill or conditions to exploit, and no user interaction or authentication is needed. The affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vulnerability does not impact confidentiality, integrity, or availability significantly, as indicated by the low CVSS score of 1.0, primarily due to the physical access requirement and difficult exploitability. The vendor Tomofun has not responded to the vulnerability disclosure, and no patches or mitigations have been published. There are no known exploits in the wild, and the vulnerability does not appear to be remotely exploitable. The flaw likely allows circumvention of trial restrictions, which may affect device functionality or licensing but does not appear to expose sensitive user data or enable remote compromise.

For European organizations, the impact of CVE-2025-11641 is limited but not negligible. Since the vulnerability requires physical access and has high complexity, it is unlikely to be exploited in large-scale attacks or remotely. However, in environments where Furbo devices are deployed in accessible locations—such as offices, retail spaces, or public areas—an attacker could potentially manipulate device restrictions or functionality. This could lead to unauthorized use or denial of service of the device, impacting operational convenience or monitoring capabilities. The vulnerability does not appear to compromise user privacy or network security directly. Nevertheless, organizations with strict IoT security policies or those using these devices in sensitive environments should consider the risk. The lack of vendor response and absence of patches increase the risk of prolonged exposure. Additionally, the presence of these devices in private homes or small businesses across Europe could pose a minor risk if physical security is lax.

Given the absence of vendor patches, European organizations and users should focus on physical security controls to mitigate this vulnerability. This includes restricting physical access to Furbo 360 and Furbo Mini devices, especially in shared or public spaces. Deploy devices in locked or monitored areas to prevent unauthorized manipulation. Regularly inspect devices for signs of tampering. Network segmentation can limit potential lateral movement if devices are compromised. Monitoring device behavior for anomalies may help detect exploitation attempts. Organizations should maintain an inventory of deployed Furbo devices and firmware versions to assess exposure. Engage with the vendor persistently for updates or patches. Consider disabling or removing devices in high-risk environments until a fix is available. Finally, educate users about the risks of physical access attacks on IoT devices and enforce policies accordingly.