The Petlibrio Smart Pet Feeder Platform, up to version 1.7.31, suffers from an improper authorization vulnerability identified as CVE-2025-3653. The root cause is the platform's acceptance of arbitrary serial numbers in its device control APIs without verifying device ownership or user authorization. This flaw allows an unauthenticated remote attacker to control any smart pet feeder device by simply providing its serial number. Exploitation enables attackers to manipulate feeding schedules, trigger manual feeding actions, access live camera feeds integrated into the device, and alter device settings. The vulnerability does not require any authentication or user interaction, making it trivially exploitable over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to user privacy and device integrity. The lack of ownership verification in the API design represents a critical security design flaw, exposing all devices to potential unauthorized control if their serial numbers are known or guessed. This vulnerability highlights the importance of robust access control and authentication mechanisms in IoT device management platforms.

For European organizations and consumers using the Petlibrio Smart Pet Feeder Platform, this vulnerability can lead to unauthorized control over pet feeding devices, resulting in potential animal welfare issues due to malicious feeding schedule changes or denial of feeding. The ability to access camera feeds compromises user privacy and may expose sensitive visual information from inside homes or offices. Unauthorized modification of device settings can disrupt normal operations and degrade user trust in smart home technologies. Although the direct impact on critical infrastructure is limited, the privacy and safety implications are significant, especially for households and businesses relying on these devices. The vulnerability could also be leveraged as a foothold for broader network intrusion if the smart feeders are connected to internal networks without proper segmentation. The medium CVSS score reflects moderate but tangible risks to confidentiality, integrity, and availability of the devices and associated data.

1. Immediate deployment of vendor-provided patches or firmware updates once available to enforce proper ownership verification and authorization checks in device control APIs. 2. Network segmentation of IoT devices, including smart pet feeders, to isolate them from sensitive internal networks and reduce attack surface. 3. Implement strict API access controls, such as IP whitelisting or VPN requirements, to restrict who can send commands to the devices. 4. Monitor network traffic for anomalous API requests, especially those involving unusual serial numbers or repeated unauthorized access attempts. 5. Educate users to avoid sharing device serial numbers publicly or with untrusted parties, as these identifiers can be exploited. 6. Encourage the vendor to adopt secure development lifecycle practices, including threat modeling and authorization testing for IoT platforms. 7. Consider disabling remote access features temporarily if immediate patching is not feasible, to limit exposure. 8. Use multi-factor authentication and strong credentials for any associated user accounts managing the devices, even though this vulnerability bypasses authentication, to reduce risk from other attack vectors.