CVE-2025-3652 identifies an authentication bypass vulnerability in the Petlibrio Smart Pet Feeder Platform, specifically in versions up to 1.7.31. The vulnerability stems from the platform's insecure handling of audio recordings associated with pet feeders. Attackers exploit the sequential nature of audio recording IDs and an insecure assignment endpoint (/device/deviceAudio/use) to assign arbitrary audio recordings to any device. This allows unauthorized users to retrieve URLs for private audio recordings belonging to other users without requiring authentication, privileges, or user interaction. The vulnerability compromises confidentiality by exposing potentially sensitive audio data captured by the device. The CVSS 4.0 score of 6.9 reflects a medium severity, with network attack vector, low attack complexity, and no required privileges or user interaction. There are no known exploits in the wild yet, but the flaw could be leveraged to invade user privacy or gather intelligence from audio data. The platform's lack of secure access controls and predictable audio ID assignment are the root causes. The vulnerability highlights the risks of IoT devices that handle private data without robust security mechanisms. Remediation requires fixing the assignment logic, enforcing authentication and authorization checks, and possibly redesigning the audio ID generation to be non-sequential and unpredictable.

For European organizations, the primary impact is the breach of confidentiality and privacy due to unauthorized access to private audio recordings. This can lead to exposure of sensitive conversations or environments, potentially violating GDPR and other data protection regulations. Organizations using Petlibrio Smart Pet Feeders in offices, homes, or sensitive facilities risk reputational damage and legal consequences if private data is leaked. The vulnerability could also be exploited for espionage or surveillance purposes, especially in environments where audio data is sensitive. Although the vulnerability does not directly affect system integrity or availability, the privacy implications are significant. The ease of exploitation without authentication increases the risk of widespread abuse. European companies with IoT deployments or smart pet devices integrated into their environments should be aware of this threat. The lack of known exploits in the wild currently limits immediate risk, but proactive mitigation is necessary to prevent future incidents.

1. Immediately update the Petlibrio Smart Pet Feeder Platform to a patched version once available that addresses the authentication bypass and audio ID assignment issues. 2. Until patches are released, restrict network access to the device management endpoints, especially /device/deviceAudio/use, using firewall rules or network segmentation. 3. Implement strong authentication and authorization controls on all API endpoints handling sensitive data, ensuring only authorized users can assign or retrieve audio recordings. 4. Replace sequential audio ID assignment with randomized, non-predictable identifiers to prevent enumeration attacks. 5. Monitor network traffic and device logs for unusual requests to audio assignment endpoints that could indicate exploitation attempts. 6. Educate users and administrators about the privacy risks associated with IoT devices and encourage disabling unnecessary audio recording features if possible. 7. Conduct regular security assessments of IoT devices deployed within the organization to identify and remediate similar vulnerabilities. 8. Collaborate with the vendor to ensure timely vulnerability disclosure and patch management.