CVE-2025-11643 identifies a security vulnerability in the Tomofun Furbo 360 and Furbo Mini pet cameras, specifically related to hard-coded credentials embedded within the MQTT Client Certificate component found in the file /squashfs-root/furbo_img. MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol commonly used in IoT devices for communication. The presence of hard-coded credentials means that attackers who discover these static authentication details can potentially connect to the device’s MQTT service remotely, bypassing normal authentication mechanisms. This could allow unauthorized access to device communications or control functions. The vulnerability affects firmware versions up to FB0035_FW_036 for Furbo 360 and MC0020_FW_074 for Furbo Mini. The attack vector is remote network access, requiring no user interaction or prior authentication, but the attack complexity is rated high, indicating exploitation is difficult, possibly due to additional environmental or technical constraints. The vendor Tomofun was contacted early for remediation but has not responded, and no patches or mitigations have been published. The CVSS v4.0 score is 6.3 (medium severity), reflecting the balance between the potential impact and the difficulty of exploitation. No known exploits have been reported in the wild to date. This vulnerability could compromise confidentiality and integrity of data transmitted by the device, potentially allowing attackers to intercept or manipulate communications or gain unauthorized control over the device’s functions.

For European organizations, the primary impact of CVE-2025-11643 lies in the potential compromise of confidentiality and integrity of communications from affected Furbo devices. These devices are typically consumer-grade pet cameras but may be used in small office or home office environments. Unauthorized access via hard-coded MQTT credentials could allow attackers to eavesdrop on video streams, manipulate device settings, or use the device as a foothold for lateral movement within a network. While the direct impact on availability is limited, the breach of privacy and potential data leakage is significant, especially under GDPR regulations concerning personal data protection. Organizations relying on these devices for monitoring or security purposes may face reputational damage and regulatory penalties if data is exposed. The high attack complexity reduces the likelihood of widespread exploitation, but targeted attacks against high-value individuals or organizations using these devices remain a concern. Lack of vendor response and patches increases the risk exposure duration.

Given the absence of vendor patches, European organizations should implement specific mitigations to reduce risk. First, isolate Furbo devices on segmented network zones or VLANs separate from critical business systems to limit lateral movement if compromised. Disable or restrict MQTT communication where possible, or configure network firewalls to block unauthorized MQTT traffic to and from these devices. Monitor network traffic for unusual MQTT connection attempts or unexpected data flows. Employ network intrusion detection systems (NIDS) with signatures for MQTT anomalies. Regularly audit firmware versions and avoid deploying affected versions; if possible, upgrade to newer firmware once available. Consider replacing devices with known vulnerabilities if they cannot be adequately secured. Educate users about the risks of IoT devices with hard-coded credentials and enforce strict network access controls. Finally, maintain an incident response plan that includes IoT device compromise scenarios.