CVE-2025-11643 identifies a security vulnerability in Tomofun Furbo 360 and Furbo Mini smart pet cameras, specifically within an unknown functionality related to the MQTT Client Certificate component located in the /squashfs-root/furbo_img file. The vulnerability arises from the presence of hard-coded credentials embedded in the firmware, which can be exploited remotely without requiring authentication, user interaction, or privileges. The affected firmware versions include Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The attack complexity is rated as high, indicating that exploitation requires significant effort or specialized knowledge, and no known exploits have been observed in the wild to date. The vulnerability could allow an attacker to gain unauthorized access to the device's MQTT communication channel, potentially enabling interception or manipulation of data transmitted between the device and its cloud services. This could compromise confidentiality and integrity of the data, such as video streams or device commands. The vendor Tomofun was contacted early about the issue but has not provided any response or patch, leaving affected devices vulnerable. The CVSS 4.0 vector (AV:N/AC:H/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X) reflects a network attack vector with high complexity, no privileges or user interaction required, and limited impact on integrity. The lack of patch availability necessitates alternative mitigation strategies. This vulnerability highlights risks associated with embedded hard-coded credentials in IoT devices, which can undermine device security and user privacy.

For European organizations, especially those in consumer electronics retail, smart home service providers, or enterprises deploying smart pet cameras in office environments, this vulnerability poses a risk of unauthorized access to device communications. The potential compromise of MQTT channels could lead to interception of video feeds or manipulation of device functions, impacting confidentiality and integrity. Although the attack complexity is high and exploitation is difficult, the absence of vendor response and patches prolongs exposure. Privacy regulations such as GDPR may also be implicated if personal data streams are intercepted. The impact is more pronounced in environments where these devices are integrated into broader IoT ecosystems, potentially serving as entry points for lateral movement. However, the limited scope and lack of known exploits reduce the immediate threat level. Organizations relying on these devices should consider the risk in their security posture and supply chain assessments.

Given the absence of vendor patches, European organizations should first inventory all Tomofun Furbo 360 and Furbo Mini devices to identify affected firmware versions. Where possible, isolate these devices on segmented networks to limit exposure to untrusted networks and reduce attack surface. Employ network-level controls such as firewall rules to restrict MQTT traffic to trusted endpoints only. Monitor network traffic for unusual MQTT activity indicative of exploitation attempts. Consider disabling or replacing vulnerable devices if firmware updates are unavailable. Engage with Tomofun for status on patch development and advocate for timely remediation. Additionally, implement compensating controls like enhanced logging and anomaly detection on IoT device communications. For future procurement, prioritize devices with transparent security practices and timely patch management. Finally, raise user awareness about the risks of embedded credentials in IoT devices and encourage secure configuration practices.