CVE-2025-11646 is a vulnerability identified in the Tomofun Furbo 360 and Furbo Mini pet cameras, specifically within an unspecified portion of the GATT (Generic Attribute Profile) Service component. The vulnerability arises from improper access controls, which means that the device does not adequately restrict access to certain functions or data over the Bluetooth Low Energy (BLE) interface. Exploitation requires the attacker to be on the same local network as the device, as the attack vector is limited to local network access. No authentication or user interaction is necessary, which lowers the barrier for exploitation once local access is achieved. The vulnerability affects firmware versions up to FB0035_FW_036 for Furbo 360 and MC0020_FW_074 for Furbo Mini. The flaw could allow an attacker to read or manipulate data or device functions, potentially leading to unauthorized surveillance, privacy breaches, or disruption of device operation. The vendor, Tomofun, was contacted early but has not responded or provided patches, and a public exploit is available, increasing the risk of exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the limited attack vector but ease of exploitation and potential impact on confidentiality, integrity, and availability. The vulnerability does not affect system components beyond the local network scope and does not require privileges or user interaction, but the presence of a public exploit raises the urgency for mitigation.

For European organizations, the primary impact of this vulnerability lies in privacy and security risks associated with the use of Furbo 360 and Furbo Mini devices in homes, offices, or small business environments. Unauthorized local network attackers could exploit this flaw to gain access to video feeds or control device functions, leading to breaches of confidentiality and potential surveillance. Integrity of device operation could be compromised, allowing attackers to manipulate device behavior or disable security features. Availability impacts are possible if the device is disrupted or rendered inoperable. While the attack requires local network access, many European environments have increasingly interconnected smart home and office networks, sometimes with insufficient segmentation or security controls, increasing exposure. The lack of vendor response and patches means organizations must rely on network-level mitigations. The risk is heightened in environments where these devices are used in sensitive areas or where local network access controls are weak. The vulnerability does not pose a direct threat to critical infrastructure but can contribute to broader security risks if attackers leverage compromised devices as footholds within local networks.

1. Network Segmentation: Isolate Furbo devices on a separate VLAN or guest network to limit local network exposure and reduce the risk of unauthorized access. 2. Disable Bluetooth if not required: Since the vulnerability involves the GATT Service (BLE), disabling Bluetooth on the device or network where possible can reduce attack surface. 3. Strong Local Network Security: Enforce strong Wi-Fi encryption (WPA3 if available), use complex passwords, and restrict network access to trusted devices only. 4. Monitor Network Traffic: Implement network monitoring to detect unusual BLE or device communication patterns indicative of exploitation attempts. 5. Device Usage Policies: Limit the placement of these devices in sensitive areas and educate users about the risks of local network attacks. 6. Firmware Updates: Regularly check for vendor updates or community patches, and apply them promptly once available. 7. Vendor Engagement: Encourage Tomofun to respond and provide official patches or mitigations. 8. Incident Response Preparedness: Prepare to isolate or remove vulnerable devices quickly if exploitation is suspected. These steps go beyond generic advice by focusing on network architecture and device-specific controls relevant to this vulnerability's attack vector.