CVE-2025-11648 is a server-side request forgery vulnerability identified in Tomofun's Furbo 360 and Furbo Mini pet cameras. The vulnerability resides in an unspecified function related to the TF_FQDN.json file within the GATT Interface URL Handler component. This flaw enables an attacker to manipulate the device into making arbitrary HTTP requests from the device’s network environment, potentially accessing internal or protected resources that would otherwise be inaccessible externally. The attack vector is remote and does not require authentication or user interaction, but the attack complexity is high, reflecting the difficulty in crafting a successful exploit. The vulnerability affects firmware versions up to FB0035_FW_036 for Furbo 360 and MC0020_FW_074 for Furbo Mini. The vendor was notified but has not issued any response or patch, leaving devices exposed. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). This suggests that while exploitation is challenging, successful attacks could lead to limited information disclosure or indirect impacts on device operation. No known exploits have been reported in the wild, but the lack of vendor response and patch availability increases risk over time.

For European organizations, the impact of this SSRF vulnerability primarily concerns privacy and network security risks. Furbo devices are consumer IoT products, often used in homes but increasingly found in office environments for pet monitoring. An attacker exploiting this vulnerability could leverage the device to perform internal network reconnaissance or access internal services that are otherwise shielded from external access, potentially leading to lateral movement or data leakage. Although the direct impact on confidentiality, integrity, and availability is rated low, the SSRF could be a stepping stone in a broader attack chain targeting internal infrastructure. Organizations with Furbo devices connected to corporate networks or with weak network segmentation could face increased risk. Additionally, the lack of vendor response and patch availability means that affected devices remain vulnerable, increasing exposure over time. The complexity of exploitation reduces immediate risk but does not eliminate it, especially for targeted attacks.

Given the absence of vendor patches, European organizations should implement network-level mitigations to reduce risk. This includes isolating Furbo devices on segmented VLANs or separate guest networks with strict firewall rules preventing these devices from initiating requests to internal network resources. Network monitoring should be enhanced to detect unusual outbound requests originating from these devices. Disabling unnecessary services or remote access features on the devices can also reduce attack surface. Organizations should inventory all Furbo devices and firmware versions to identify vulnerable units. Until a vendor patch is available, consider temporarily disconnecting vulnerable devices from sensitive networks or replacing them with alternative products. Additionally, applying strict egress filtering and employing intrusion detection systems capable of identifying SSRF patterns can help mitigate exploitation attempts. Regularly checking for vendor updates or advisories is also recommended.