CVE-2025-11645 identifies an insecure storage vulnerability within the Tomofun Furbo Mobile App version 7.57.0a on Android devices. The vulnerability resides in the Authentication Token Handler component, where sensitive authentication tokens are stored insecurely on the physical device. This insecure storage could allow an attacker with physical access to the device to extract these tokens without needing any authentication or user interaction. The tokens could potentially be used to impersonate the legitimate user or gain unauthorized access to the Furbo service or associated accounts, depending on the token's scope and server-side protections. The vulnerability does not affect confidentiality, integrity, or availability broadly but specifically targets sensitive token confidentiality. The CVSS 4.0 vector indicates the attack requires physical access (AV:P), has low complexity (AC:L), no privileges or user interaction needed (PR:N/UI:N), and results in low confidentiality impact (VC:L). The vendor was notified but has not responded or released a patch, and no known exploits are currently in the wild. This vulnerability is particularly relevant for Android users of the Furbo app, which is used primarily for pet monitoring and care. The risk is limited by the need for physical device access, but the public disclosure increases the chance of exploitation by insiders or opportunistic attackers. Without vendor mitigation, users remain exposed to potential token theft if their devices are lost, stolen, or accessed by unauthorized persons.

For European organizations, the impact is primarily on user privacy and potential unauthorized access to Furbo accounts. Organizations using Furbo devices for pet monitoring or customer engagement may face reputational damage if user data is compromised. The vulnerability could allow attackers to hijack user sessions or access live video feeds if tokens are reused or poorly protected server-side, potentially violating GDPR requirements on personal data protection. However, the low CVSS score and requirement for physical access limit large-scale remote exploitation risks. The main concern is insider threats or theft of devices from employees or customers. This could lead to unauthorized surveillance or data leakage. Organizations should consider the risk in contexts where Furbo devices are deployed in sensitive environments or where user trust is critical. The lack of vendor response and patch increases the window of exposure, necessitating proactive mitigation. Overall, the threat is moderate but should not be ignored given the sensitivity of authentication tokens and potential privacy implications.

1. Enforce strict physical security controls to prevent unauthorized access to devices running the Furbo app, including employee and customer devices. 2. Ensure full device encryption is enabled on all Android devices to protect stored data at rest. 3. Encourage users to set strong device lock mechanisms (PIN, password, biometric) to reduce risk of token extraction. 4. Monitor for suspicious activity on Furbo accounts that could indicate token misuse or unauthorized access. 5. If possible, revoke and regenerate authentication tokens periodically or after device loss/theft. 6. Consider isolating Furbo app usage to dedicated devices with limited access to sensitive corporate data. 7. Advocate for vendor engagement and demand a patch or secure token storage improvements. 8. Educate users about risks of physical device compromise and secure handling of their devices. 9. Employ mobile device management (MDM) solutions to enforce security policies and remotely wipe devices if compromised. 10. Review server-side token validation mechanisms to ensure tokens cannot be easily reused or exploited if stolen.