CVE-2025-11649 identifies a vulnerability in the Tomofun Furbo 360 and Furbo Mini smart pet cameras, specifically within an unknown function of the Root Account Handler component. The flaw arises from the use of a hard-coded password embedded in the device firmware, which can be exploited by an attacker with local access to the device. The attack complexity is high, and exploitation is difficult, requiring limited privileges but no user interaction. The vulnerability affects Furbo 360 devices running firmware versions up to FB0035_FW_036 and Furbo Mini devices up to MC0020_FW_074. The presence of a hard-coded password means that once an attacker gains local access, they can leverage this credential to escalate privileges, potentially gaining root-level control over the device. This could lead to unauthorized access to video feeds, device settings, or network information, compromising confidentiality and integrity. The vendor, Tomofun, was contacted early but has not provided any response or patches, leaving the vulnerability unmitigated at present. The CVSS 4.0 score of 7.3 reflects a high severity, with attack vector local, high attack complexity, and significant impacts on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but public disclosure of the exploit details increases the risk of future attacks. The vulnerability does not require user interaction but does require local access, which limits remote exploitation but still poses a significant risk in environments where physical or local network access is possible.

For European organizations, the impact of CVE-2025-11649 can be significant, especially in environments where Furbo 360 or Furbo Mini devices are deployed. These devices are primarily consumer smart pet cameras but may be present in home offices or small business settings. The vulnerability allows attackers with local access to escalate privileges and potentially access sensitive video streams or device controls, leading to privacy violations and unauthorized surveillance. This could also serve as a foothold for lateral movement within a network if the device is connected to corporate or home networks. The confidentiality of video data and device credentials is at risk, as is the integrity of device firmware and settings. Availability could be impacted if attackers disrupt device operations. Given the high privacy standards and regulatory environment in Europe, including GDPR, unauthorized access to video data could have legal and reputational consequences. Organizations with employees working remotely or using smart home devices in hybrid work environments should be particularly cautious. The lack of vendor response and patches increases the urgency for organizations to implement compensating controls to mitigate risk.

1. Restrict physical and local network access to Furbo 360 and Furbo Mini devices to trusted users only. 2. Isolate these devices on segmented networks or VLANs to limit lateral movement opportunities. 3. Monitor network traffic and device logs for unusual access patterns or attempts to use default or hard-coded credentials. 4. Disable or limit local access interfaces where possible, such as USB or local console access. 5. Educate users about the risks of connecting such devices in sensitive environments and encourage secure placement. 6. Regularly check for firmware updates from Tomofun and apply them promptly once available. 7. Consider replacing affected devices with alternatives that do not have known hard-coded credential issues. 8. Implement network access control (NAC) solutions to detect and block unauthorized devices or access attempts. 9. Use endpoint detection and response (EDR) tools to identify suspicious activity related to these devices. 10. Document and enforce policies regarding the use of consumer IoT devices in corporate or sensitive environments.