CVE-2025-11641 identifies an improper access control vulnerability in the Tomofun Furbo 360 and Furbo Mini smart pet cameras, specifically within an unspecified function of the Trial Restriction Handler component. This flaw allows an attacker with physical access to manipulate the device in a way that bypasses intended access restrictions. The vulnerability affects firmware versions up to FB0035_FW_036 for Furbo 360 and MC0020_FW_074 for Furbo Mini. Exploitation is characterized by high complexity and difficulty, requiring direct physical interaction with the device, which significantly limits remote or large-scale exploitation. The vulnerability does not require authentication or user interaction but is constrained by the need for physical presence. The vendor was contacted but did not provide any response or mitigation guidance. The CVSS 4.0 vector indicates physical attack vector (AV:P), high attack complexity (AC:H), no privileges or user interaction required, and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). No known exploits have been reported in the wild, and no patches or updates have been released to address this issue. This vulnerability primarily poses a risk to the physical security of the device and potentially any data accessible through it if an attacker can manipulate the device directly.

For European organizations, the impact of CVE-2025-11641 is limited due to the requirement for physical access and the high complexity of exploitation. The affected devices are consumer-grade smart pet cameras, which are unlikely to be critical infrastructure components in enterprise environments. However, organizations that deploy these devices in office environments or employee homes as part of wellness or pet care programs could face privacy risks if an attacker gains physical access. Potential impacts include unauthorized access to video feeds or device controls, which could lead to privacy violations or minor disruptions. The low CVSS score and absence of known exploits reduce the urgency, but organizations should remain aware of the physical security implications. The lack of vendor response and patches means that mitigation relies heavily on physical security controls and monitoring. Overall, the threat to European organizations is low but not negligible, especially in environments where physical security is less controlled.

1. Enforce strict physical security controls to prevent unauthorized individuals from accessing the Furbo 360 and Furbo Mini devices, including secure placement and restricted access areas. 2. Monitor and audit physical access to locations where these devices are deployed, using access logs or surveillance where feasible. 3. Regularly check for firmware updates from Tomofun, despite the current lack of patches, as future updates may address this vulnerability. 4. Consider disabling or removing these devices from sensitive environments where physical security cannot be guaranteed. 5. Educate users and employees about the risks of physical tampering with IoT devices and encourage reporting of suspicious activity. 6. Implement network segmentation to isolate these devices from critical systems, limiting potential lateral movement if compromised. 7. If possible, replace affected devices with models from vendors that provide timely security updates and have a better security track record. 8. Maintain an inventory of all deployed IoT devices to quickly identify and respond to vulnerabilities.