CVE-2025-11649 identifies a vulnerability in Tomofun Furbo 360 and Furbo Mini smart pet cameras, specifically within an unspecified function of the Root Account Handler component. The flaw arises from the use of a hard-coded password embedded in the device firmware, which can be exploited by an attacker with local access to the device. This local access requirement means the attacker must be physically present or have access to the local network segment where the device resides. The attack complexity is high, indicating that exploitation is non-trivial and requires specialized knowledge or conditions. The vulnerability does not require user interaction or additional authentication beyond local privileges, and it impacts confidentiality, integrity, and availability at a high level. Firmware versions affected include Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Despite early notification, the vendor Tomofun has not issued any patches or advisories. The public disclosure of the exploit increases the risk of exploitation, although no confirmed active exploitation in the wild has been reported. The CVSS 4.0 vector (AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P) reflects local attack vector, high complexity, no user interaction, and significant impact on all security properties. This vulnerability could allow attackers to gain root-level control over the device, potentially enabling surveillance, data exfiltration, or denial of service.

For European organizations, the impact of this vulnerability is significant, especially for those deploying Furbo 360 or Furbo Mini devices in office environments or smart home settings. The compromise of these devices could lead to unauthorized surveillance, breach of privacy, and potential lateral movement within local networks. Confidentiality is at risk as attackers could access video feeds or stored data. Integrity and availability could be compromised if attackers alter device configurations or disable functionality. Although exploitation requires local access, the increasing use of IoT devices in European workplaces and homes expands the attack surface. The lack of vendor response and patches increases the window of exposure. Organizations relying on these devices for pet monitoring or other purposes should consider the risk of insider threats or physical access attacks. The vulnerability could also undermine trust in IoT device security, impacting compliance with European data protection regulations such as GDPR if personal data is exposed.

To mitigate this vulnerability, European organizations and users should first restrict physical access to Furbo devices and ensure they are deployed in secure, controlled environments. Network segmentation should be implemented to isolate IoT devices from critical infrastructure and sensitive data networks. Employ strong local network access controls, such as WPA3 Wi-Fi with robust passwords, and monitor network traffic for unusual activity related to these devices. Disable any unnecessary services or remote access features on the devices to reduce attack vectors. Since no official patches are available, consider replacing affected devices with models from vendors that provide timely security updates. Regularly audit and inventory IoT devices to maintain visibility and control. Additionally, educate users about the risks of local access exploitation and enforce policies limiting device placement in unsecured or public areas. If possible, implement endpoint detection and response (EDR) solutions capable of identifying anomalous behavior from IoT devices. Finally, maintain awareness of any future vendor advisories or third-party patches addressing this vulnerability.