CVE-2025-3653 is a vulnerability in the Petlibro Smart Pet Feeder Platform, affecting versions up to 1.7.31, characterized by improper authorization in the device control APIs. The flaw arises because the platform accepts arbitrary serial numbers without verifying whether the requester owns the device associated with that serial number. This lack of ownership verification allows an attacker to remotely control any Petlibro smart pet feeder by simply providing its serial number. The attacker can manipulate feeding schedules, trigger manual feeding, access live camera feeds, and modify device settings without any authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has low complexity (AC:L). The impact affects confidentiality (access to camera feeds), integrity (modification of feeding schedules and settings), and availability (potential disruption of feeding functions). Although no exploits are currently known in the wild, the vulnerability poses a significant risk to users’ privacy and device reliability. The CVSS 4.0 base score is 6.9, reflecting medium severity. The vulnerability highlights a critical design flaw in access control mechanisms for IoT devices, emphasizing the need for strict ownership verification and authentication in device management APIs.

For European organizations and consumers using Petlibro Smart Pet Feeders, this vulnerability can lead to unauthorized access to sensitive information such as live camera feeds, violating privacy regulations like GDPR. Manipulation of feeding schedules and device settings can disrupt pet care, potentially causing harm or distress to pets. Organizations that integrate these devices into broader smart home or pet care services may face reputational damage and operational disruptions. The unauthorized control could also be leveraged as a foothold for lateral movement within home or corporate networks if these devices are connected to internal systems. Privacy breaches from camera access are particularly concerning under European data protection laws, potentially resulting in regulatory penalties. The medium severity score indicates a moderate but tangible risk, especially in environments where these devices are widely deployed or integrated with other smart home infrastructure.

Immediate mitigation involves isolating Petlibro Smart Pet Feeder devices on segmented networks or VLANs to limit exposure to untrusted networks. Network-level access controls should restrict inbound API requests to trusted sources only. Monitoring network traffic for unusual API calls containing arbitrary serial numbers can help detect exploitation attempts. Users and organizations should apply vendor patches promptly once released to enforce proper ownership verification and authentication. Until patches are available, disabling remote access features or restricting device connectivity to local networks can reduce risk. Additionally, implementing multi-factor authentication and device binding mechanisms at the application layer can prevent unauthorized control. Security awareness for users about the risks of exposing IoT devices to public networks is essential. Vendors should be urged to adopt secure development lifecycle practices emphasizing authorization checks and secure API design.