CVE-2025-11645 identifies a security vulnerability in the Tomofun Furbo Mobile App version 7.57.0a on Android platforms. The vulnerability resides in the Authentication Token Handler component, where sensitive authentication tokens are stored insecurely on the physical device. This insecure storage could allow an attacker with physical access to the device to extract these tokens without requiring any authentication or user interaction. The tokens likely provide access to user accounts or connected services, so their compromise could lead to unauthorized access or control over the Furbo device or associated cloud services. The vulnerability has been publicly disclosed, but the vendor has not issued any patches or responses. The CVSS 4.0 score is 2.4, indicating low severity due to the requirement of physical access and limited impact on confidentiality and integrity. No known exploits are currently active in the wild. The lack of vendor response and patch availability increases the risk for users who cannot remediate the issue promptly. This vulnerability highlights the importance of secure storage practices for sensitive tokens within mobile applications, especially those controlling IoT devices.

For European organizations and users, the primary impact is the potential compromise of sensitive authentication tokens stored by the Furbo Mobile App. This could lead to unauthorized access to the Furbo pet camera and related services, potentially exposing video feeds or personal user data. Although the vulnerability requires physical access to the device, it poses a risk in environments where devices may be lost, stolen, or accessed by unauthorized personnel. Organizations using Furbo devices in offices or employee homes could face privacy breaches or unauthorized surveillance risks. The impact on availability is minimal, but confidentiality and integrity of user data and device control are at risk. Given the low CVSS score, the threat is not critical but should not be ignored, especially in sectors with strict data protection regulations like GDPR in Europe. The absence of vendor patches means affected users must rely on operational security controls to mitigate risk.

1. Restrict physical access to devices running the Furbo Mobile App to trusted individuals only. 2. Enable full device encryption on Android devices to protect stored data from extraction. 3. Use strong device lock mechanisms (PIN, password, biometric) to prevent unauthorized device access. 4. Monitor devices for unusual activity or unauthorized access attempts to the Furbo app or related services. 5. Regularly back up important data and consider removing the Furbo app from devices that cannot be physically secured. 6. Encourage the vendor to issue a patch or update that securely stores authentication tokens using Android’s secure storage APIs such as the Keystore system. 7. Educate users about the risks of physical device compromise and the importance of securing mobile devices that control IoT products. 8. Consider network-level protections such as segmenting IoT devices and monitoring network traffic for anomalies.