CVE-2025-11644 identifies a security weakness in the Tomofun Furbo 360 and Furbo Mini pet cameras, specifically related to the UART interface component. The vulnerability allows for insecure storage of sensitive information on the physical device. This means that an attacker with physical access to the device could potentially manipulate the UART interface to extract sensitive data stored insecurely within the device's firmware or memory. The attack complexity is high, requiring specialized knowledge and physical access, and no authentication or user interaction is needed once physical access is obtained. The affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Despite early notification, the vendor has not issued a patch or response. The CVSS 4.0 vector indicates a low severity score of 1.0, reflecting that the attack vector is physical (AV:P), with high attack complexity (AC:H), no privileges or user interaction required, and low impact on confidentiality. There are no known exploits in the wild, and the scope is limited to the physical device. This vulnerability primarily threatens confidentiality by potentially exposing sensitive information stored insecurely. The lack of vendor response and patch availability means users must rely on physical security controls and monitoring until a fix is released.

For European organizations, the impact of this vulnerability is limited but non-negligible. Since exploitation requires physical access to the device, remote attacks are not feasible, reducing the risk for large-scale breaches. However, in environments where Furbo devices are deployed in accessible locations (e.g., offices, retail spaces, or homes of employees), attackers with physical proximity could extract sensitive data, potentially including network credentials or personal information. This could lead to privacy violations or facilitate further attacks if sensitive data is leveraged. The low CVSS score and high complexity reduce urgency but do not eliminate risk, especially in regulated sectors with strict data protection requirements such as GDPR. The absence of vendor patches increases the window of exposure. Organizations using these devices should evaluate their physical security policies and consider the sensitivity of data potentially exposed by these cameras.

1. Restrict physical access to Furbo 360 and Furbo Mini devices, especially in sensitive environments, to prevent unauthorized manipulation of the UART interface. 2. Monitor for firmware updates or security advisories from Tomofun and apply patches promptly once available. 3. Consider disabling or physically blocking UART interface access if feasible, to reduce attack surface. 4. Conduct regular audits of device placement and access controls to ensure devices are not left in publicly accessible areas. 5. If possible, replace affected devices with newer models or alternative products that have addressed this vulnerability. 6. Educate staff about the risks of physical tampering with IoT devices and enforce policies to report suspicious activity. 7. Implement network segmentation to isolate IoT devices from critical systems, limiting potential lateral movement if data is compromised. 8. Maintain an inventory of all Furbo devices deployed and track firmware versions to identify vulnerable units.