CVE-2025-11646 identifies an improper access control vulnerability in the GATT Service component of Tomofun Furbo 360 and Furbo Mini pet cameras. The flaw allows an attacker on the same local network to bypass access restrictions, potentially gaining unauthorized access to device functions or data. The vulnerability does not require authentication, user interaction, or elevated privileges, making it relatively easy to exploit within the local network environment. The affected firmware versions include Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vulnerability is rooted in the Bluetooth Low Energy (BLE) GATT service implementation, which is responsible for device communication and control. Improper access controls in this service could allow attackers to read or write sensitive attributes, potentially leading to privacy violations or device manipulation. The vendor Tomofun was contacted early but did not respond or provide patches, and no official fixes are currently available. Public exploit code has been released, increasing the risk of exploitation, although no widespread attacks have been reported to date. The vulnerability’s CVSS 4.0 score is 5.3 (medium), reflecting its local attack vector, lack of authentication requirements, and limited impact scope. This vulnerability primarily threatens environments where these devices are deployed on shared or poorly segmented local networks, such as home or small office networks.

For European organizations, the primary impact of CVE-2025-11646 is on privacy and security of IoT devices used in residential or office settings. Unauthorized local network attackers could exploit this flaw to access video streams, manipulate device settings, or disrupt device availability, potentially leading to privacy breaches or denial of service. While the attack requires local network access, many European homes and small businesses have Wi-Fi networks that could be compromised or accessed by malicious insiders or nearby attackers. This vulnerability could undermine trust in IoT devices and expose sensitive personal or corporate information captured by these cameras. Additionally, exploitation could serve as a foothold for lateral movement within local networks, increasing overall risk. The lack of vendor response and patches exacerbates the threat, requiring organizations to rely on network-level controls. The impact is more pronounced in environments with weak network segmentation or where these devices are integrated into broader smart office or home automation systems.

1. Segment IoT devices like Furbo cameras onto isolated VLANs or separate Wi-Fi networks to limit local network exposure. 2. Disable Bluetooth or GATT services if not required for device operation to reduce attack surface. 3. Monitor local network traffic for unusual BLE or device communication patterns indicative of exploitation attempts. 4. Enforce strong Wi-Fi security, including WPA3 where possible, and restrict guest network access to prevent unauthorized local access. 5. Regularly audit IoT device firmware versions and configurations, and apply updates promptly when vendor patches become available. 6. Consider replacing affected devices with alternatives from vendors with active security support if patching is not forthcoming. 7. Educate users about the risks of local network attacks and encourage secure network practices. 8. Employ network intrusion detection systems capable of BLE protocol monitoring to detect suspicious activity. 9. Use strong network access controls and authentication mechanisms for all network segments hosting IoT devices.