CVE-2025-3646 is a security vulnerability identified in the Petlibrio Smart Pet Feeder Platform, specifically in versions up to 1.7.31. The core issue is a missing authentication or authorization check in the device share API, which allows attackers to bypass permission controls. By sending crafted requests to the API endpoint responsible for sharing devices, an attacker can add themselves as a shared owner of any smart pet feeder device without needing valid credentials or user interaction. This unauthorized access enables the attacker to view sensitive owner information and potentially manipulate device settings or operations. The vulnerability is network exploitable with low attack complexity and no privileges or user interaction required, as reflected in its CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N). The impact affects confidentiality, integrity, and availability to a limited extent, as unauthorized users gain control over device sharing but not full system compromise. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risks of insufficient access control in IoT device management APIs, which can lead to privacy violations and unauthorized device control.

For European organizations, the vulnerability poses risks primarily to privacy and operational integrity of smart pet feeder devices deployed in homes or business environments such as pet care facilities. Unauthorized access to device sharing can lead to exposure of personal owner information, including potentially sensitive data linked to user accounts. Attackers gaining shared ownership could manipulate feeding schedules or device settings, potentially causing harm to pets or disrupting service. While the direct impact on critical infrastructure is limited, the breach of trust and privacy could have reputational consequences for organizations using these devices. Additionally, if these devices are integrated into broader smart home or IoT ecosystems, the vulnerability could serve as a foothold for lateral movement or further attacks. The medium severity rating reflects moderate impact but ease of exploitation without authentication increases risk. Organizations with many deployed devices or those in regulated sectors with strict data privacy laws (e.g., GDPR) must consider the compliance implications of unauthorized data exposure.

Immediate mitigation should include disabling the device sharing feature on all affected Petlibrio Smart Pet Feeder devices until a vendor patch is available. Organizations should monitor network traffic for suspicious API requests targeting device sharing endpoints. Implement network segmentation to isolate IoT devices from critical business networks to reduce attack surface. Enforce strong network access controls and consider deploying Web Application Firewalls (WAFs) or API gateways that can detect and block unauthorized API calls. Regularly audit device configurations and user access lists to identify unauthorized shared owners. Engage with Petlibrio support channels to obtain updates on patches or firmware upgrades addressing this vulnerability. For future deployments, prioritize IoT devices with robust authentication and authorization mechanisms and conduct security assessments of device management APIs. Educate users on the risks of enabling sharing features and encourage strong password policies for associated accounts.