CVE-2025-3652 affects the Petlibrio Smart Pet Feeder Platform up to version 1.7.31 and involves an authentication bypass vulnerability that enables unauthorized users to access private audio recordings. The vulnerability stems from the platform's use of sequential audio IDs and an insecure assignment endpoint (/device/deviceAudio/use) that does not enforce proper access controls or authentication. Attackers can exploit this by sending crafted requests with arbitrary audio IDs to assign audio recordings to any device, effectively hijacking audio content belonging to other users. Subsequently, attackers can retrieve the URLs of these audio recordings and access private audio data without any credentials or user interaction. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no required privileges or user interaction. The vulnerability impacts confidentiality by exposing private audio but does not affect integrity or availability. No patches or known exploits are currently reported, but the flaw represents a significant privacy risk given the sensitive nature of audio data collected by smart pet feeders. The issue highlights the importance of secure endpoint design, proper authentication, and non-predictable resource identifiers in IoT platforms.

For European organizations, this vulnerability primarily threatens the confidentiality of private audio recordings captured by Petlibrio Smart Pet Feeders. This could lead to unauthorized surveillance or privacy violations, especially in environments where these devices are used in homes, veterinary clinics, or pet care facilities. Exposure of audio data could result in reputational damage, regulatory penalties under GDPR for mishandling personal data, and loss of customer trust. Since the vulnerability requires no authentication and can be exploited remotely, attackers could target multiple devices at scale. The impact is more pronounced in sectors with strict privacy requirements or where audio data might contain sensitive information. Although the vulnerability does not directly affect system integrity or availability, the privacy breach alone is significant. European organizations using these devices should consider the risk of data leakage and potential compliance issues.

Immediate mitigation involves restricting network access to the vulnerable endpoints, such as implementing firewall rules or network segmentation to limit exposure of the Petlibrio Smart Pet Feeder devices to untrusted networks. Organizations should monitor network traffic for suspicious requests targeting /device/deviceAudio/use and implement anomaly detection to identify unauthorized access attempts. Users should update to patched versions once available from the vendor; until then, disabling remote access features or isolating the devices on a separate VLAN can reduce risk. Vendors should implement proper authentication and authorization checks on all API endpoints, replace predictable sequential audio IDs with cryptographically secure identifiers, and enforce access controls to prevent unauthorized assignment or retrieval of audio recordings. Regular security audits and penetration testing of IoT platforms are recommended to detect similar flaws early.