The vulnerability identified as CVE-2025-11644 affects Tomofun Furbo 360 and Furbo Mini pet cameras, specifically relating to insecure storage of sensitive information within the UART interface component. The UART interface is a hardware communication protocol often used for debugging or device communication. In this case, manipulation of this interface can lead to sensitive data being stored insecurely, potentially exposing it to attackers who gain physical access to the device. The attack complexity is high, meaning exploitation requires specialized knowledge and physical proximity, and no authentication or user interaction is necessary. The affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Despite the exploit being publicly available, there is no known active exploitation in the wild, and the vendor has not responded or provided patches. The CVSS 4.0 score of 1.0 reflects the low severity due to the attack vector (physical access), high complexity, and limited impact scope. The vulnerability primarily risks confidentiality by exposing sensitive information stored insecurely, but does not affect integrity or availability. This issue highlights the risks inherent in IoT devices that store sensitive data without adequate protection, especially when physical access controls are weak.

For European organizations, the primary impact is the potential exposure of sensitive information stored on Furbo 360 and Furbo Mini devices if an attacker gains physical access. This could include personal data or credentials related to the device’s operation or user environment. While the attack complexity and physical access requirement limit widespread exploitation, organizations with these devices in accessible locations (e.g., offices, public spaces, or homes of employees) could face confidentiality breaches. The lack of vendor response and patches increases risk over time as devices remain vulnerable. Although the vulnerability does not directly impact device availability or integrity, leaked sensitive information could be leveraged for further attacks or privacy violations. The threat is more relevant for organizations using these devices in sensitive environments or where IoT security is critical. Additionally, the public availability of exploit code raises the risk of opportunistic attacks by skilled adversaries with physical access.

1. Restrict physical access to Furbo 360 and Furbo Mini devices to trusted personnel only, especially in organizational environments. 2. Monitor devices regularly for signs of tampering or unauthorized access to hardware interfaces such as UART ports. 3. If possible, disable or physically block UART interfaces to prevent exploitation. 4. Replace affected devices with models that have verified secure storage and better physical security controls. 5. Implement network segmentation to isolate IoT devices from critical systems, limiting the impact of any data leakage. 6. Maintain an inventory of deployed Furbo devices and track firmware versions to identify vulnerable units. 7. Engage with the vendor or community for updates or unofficial patches, given the vendor’s lack of response. 8. Educate staff about the risks of physical device access and enforce policies to prevent unauthorized handling. 9. Consider additional endpoint security measures that detect anomalous device behavior or unauthorized hardware access. 10. For sensitive environments, avoid deploying consumer-grade IoT devices lacking robust security assurances.