CVE-2025-11650 identifies a security weakness in the Tomofun Furbo 360 and Furbo Mini pet camera devices, specifically in the password handling mechanism involving the /etc/shadow file. The vulnerability arises from the use of a weak cryptographic hash algorithm to protect password hashes, which could theoretically allow an attacker with physical access to the device to manipulate or extract password data. The attack complexity is high, requiring physical possession of the device and advanced technical skills, and no remote exploitation is possible. The affected firmware versions include Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Despite public disclosure, the vendor has not responded or issued patches, leaving the vulnerability unmitigated. The CVSS 4.0 score is 1.0, indicating low severity due to limited confidentiality impact, no integrity or availability impact, and the necessity of physical access and high attack complexity. No known exploits have been observed in the wild. This vulnerability highlights the risk of weak cryptographic practices in IoT devices, especially those handling sensitive user data. Organizations using these devices should consider the risk primarily from a physical security perspective and monitor for any vendor updates.

The primary impact of CVE-2025-11650 is the potential compromise of password hashes stored on the device due to weak hashing algorithms. For European organizations, the risk is limited because exploitation requires physical access to the device and advanced skills, reducing the likelihood of attack in typical enterprise environments. However, in scenarios where these devices are deployed in accessible locations (e.g., offices, public spaces), attackers could extract password hashes and attempt offline cracking, potentially leading to unauthorized access to device functions or user data. The vulnerability does not affect device availability or integrity directly, nor does it allow remote exploitation, limiting broader network impact. Still, organizations should consider the privacy implications, as these devices often capture video and audio data. The lack of vendor response and patches prolongs exposure. Overall, the impact on European organizations is low but non-negligible in environments with weak physical security controls or high-value targets using these devices.

1. Restrict physical access to Tomofun Furbo 360 and Furbo Mini devices, especially in sensitive or public areas, to prevent attackers from obtaining the device for offline analysis. 2. Implement strict physical security policies and monitoring for IoT devices deployed within organizational premises. 3. Regularly audit and inventory IoT devices to identify vulnerable firmware versions and plan for replacement or isolation if patches are unavailable. 4. Monitor vendor communications for any firmware updates or security advisories addressing this vulnerability. 5. Consider network segmentation to isolate these devices from critical systems, limiting potential lateral movement if compromised. 6. Employ endpoint detection solutions capable of monitoring unusual device behavior or unauthorized access attempts. 7. Educate staff about the risks of physical device tampering and encourage reporting of lost or stolen devices. 8. If possible, disable or limit password-based authentication mechanisms on the device or replace with stronger authentication methods. 9. Evaluate alternative devices with stronger security postures for future deployments.