CVE-2025-11648 is a server-side request forgery vulnerability identified in Tomofun's Furbo 360 and Furbo Mini pet cameras. The vulnerability resides in the GATT Interface URL Handler component, specifically involving the TF_FQDN.json file, which is responsible for handling certain URL requests. An attacker can manipulate this component to cause the device to send crafted requests to arbitrary internal or external network resources. This SSRF can be leveraged to access internal services that are otherwise inaccessible externally, potentially exposing sensitive information or enabling further attacks such as internal network scanning or exploitation of other vulnerabilities. The attack can be performed remotely without requiring authentication or user interaction, but the complexity of crafting a successful exploit is high due to the nature of the component and the required manipulation. The affected firmware versions include Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Despite early notification, the vendor has not issued any patches or advisories, leaving devices exposed. The CVSS 4.0 vector indicates network attack vector with high attack complexity, no privileges or user interaction required, and low impact on confidentiality, integrity, and availability individually but combined to a medium severity score of 6.3. No known exploits have been observed in the wild yet, but public disclosure increases the risk of exploitation attempts.

For European organizations, the impact of this SSRF vulnerability could be significant, especially in environments where Furbo 360 or Furbo Mini devices are deployed within corporate or home networks. SSRF can allow attackers to pivot from the compromised device into internal network segments, potentially accessing sensitive internal services, databases, or management interfaces that are not exposed externally. This can lead to unauthorized data disclosure, internal reconnaissance, or further exploitation of internal vulnerabilities. Given that these devices are often connected to home or office networks, they can serve as a foothold for attackers targeting employees or executives. The lack of vendor response and patches increases the risk exposure. While the direct impact on availability is low, the confidentiality and integrity of internal systems could be compromised. Organizations with remote or hybrid work setups using these devices should be particularly cautious. The medium severity rating suggests that while exploitation is not trivial, the potential for lateral movement and data exposure warrants attention.

Since no patches are currently available from the vendor, European organizations should implement compensating controls to mitigate risk. These include segmenting IoT devices like Furbo cameras on isolated VLANs or separate network segments with strict firewall rules preventing these devices from initiating arbitrary outbound requests to internal network resources. Network monitoring should be enhanced to detect unusual outbound traffic patterns from these devices. Employing network-level access controls and DNS filtering can help block malicious SSRF attempts. Organizations should also consider disabling or limiting remote access features of these devices if not strictly necessary. Regularly auditing device firmware versions and monitoring vendor communications for updates is critical. If possible, replacing vulnerable devices with alternatives that have better security support should be considered. Finally, educating users about the risks of IoT devices and enforcing strong network segmentation policies will reduce the attack surface.