CVE-2025-11647 is a low-severity information disclosure vulnerability identified in the Tomofun Furbo 360 and Furbo Mini pet cameras. The issue stems from improper processing of the DeviceToken argument within the Bluetooth GATT Service component. An attacker positioned within the same local network can manipulate this argument to cause unintended information disclosure, potentially leaking sensitive device or user data. The attack vector is local network access, requiring proximity or network access to the victim device. The complexity of the attack is high, indicating that exploitation demands significant technical skill and effort, and no user interaction or authentication is required. The affected firmware versions include Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Despite early vendor notification, no patches or official responses have been issued. The CVSS 4.0 vector (AV:A/AC:H/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) reflects a low base score of 2.3, emphasizing limited confidentiality impact and difficult exploit conditions. No known exploits have been reported in the wild, suggesting minimal current threat activity. The vulnerability highlights the risks inherent in IoT devices with Bluetooth interfaces and the importance of secure firmware design and vendor responsiveness.

For European organizations, the impact of CVE-2025-11647 is generally low due to the requirement for local network access and the high complexity of exploitation. However, organizations using Tomofun Furbo 360 or Furbo Mini devices in environments where local network access is shared or less controlled—such as offices with open Wi-Fi or multi-tenant buildings—could face information leakage risks. The disclosed information could potentially aid attackers in further reconnaissance or targeted attacks against IoT infrastructure or connected networks. Privacy concerns may arise if sensitive user or device data is exposed, potentially conflicting with GDPR requirements. The lack of vendor response and absence of patches increase the risk of future exploitation if attackers develop more accessible exploit methods. Overall, while the direct operational impact is limited, the vulnerability underscores the need for vigilance in managing IoT devices within enterprise networks.

European organizations should implement network segmentation to isolate IoT devices like Furbo cameras from critical business systems and sensitive data networks. Restrict Bluetooth and local network access to trusted users and devices only, employing strong Wi-Fi security measures and monitoring for unauthorized connections. Disable or limit Bluetooth functionality on these devices if not required. Regularly audit and inventory IoT devices to identify vulnerable firmware versions and plan for device replacement or firmware upgrades when available. Employ network intrusion detection systems (NIDS) capable of detecting anomalous Bluetooth or local network activity. Engage with the vendor or community forums to track any forthcoming patches or firmware updates addressing this issue. Consider deploying endpoint security solutions that monitor IoT device behavior for signs of compromise. Finally, educate users about the risks of connecting IoT devices to unsecured or public networks.