CVE-2025-3654 identifies an improper authorization vulnerability in the Petlibro Smart Pet Feeder Platform, specifically in versions up to 1.7.31. The vulnerability arises from insecure API endpoints that do not enforce proper access controls, allowing unauthenticated attackers to query the /device/devicePetRelation/getBoundDevices endpoint using pet IDs. This API call returns sensitive device hardware information, including device serial numbers and MAC addresses. Such information disclosure can be leveraged by attackers to fingerprint devices, bypass security controls, or escalate privileges to gain full control over the smart pet feeder. The vulnerability does not require any authentication or user interaction, and the attack vector is network-based, making it accessible remotely. The CVSS 4.0 base score of 6.9 reflects a medium severity level, primarily due to the lack of direct integrity or availability impact but significant confidentiality compromise. No patches or exploits are currently publicly available, but the risk remains due to the sensitive nature of the data exposed and the potential for subsequent exploitation. The platform’s widespread use in IoT pet care devices increases the attack surface, especially in environments where these devices are connected to home or enterprise networks.

For European organizations, the impact of this vulnerability includes unauthorized disclosure of device-specific information that can be used to facilitate further attacks such as device takeover or lateral movement within networks. In sectors like smart home services, veterinary clinics, or pet care businesses utilizing Petlibro devices, this could lead to privacy breaches or operational disruptions. The exposure of MAC addresses and serial numbers can aid attackers in bypassing network security measures or launching targeted attacks against IoT infrastructure. While the vulnerability itself does not directly compromise device integrity or availability, it significantly undermines confidentiality and could serve as a stepping stone for more severe attacks. Organizations with IoT deployments in Europe must consider the risk of unauthorized access to connected devices and the potential for data leakage or network infiltration. The lack of authentication and ease of exploitation increase the threat level in environments with insufficient network segmentation or monitoring.

To mitigate this vulnerability, organizations should first verify if their Petlibro Smart Pet Feeder devices are running vulnerable versions (up to 1.7.31) and apply any vendor-released patches or firmware updates as soon as they become available. In the absence of patches, network-level controls should be implemented to restrict access to the vulnerable API endpoints, such as firewall rules limiting inbound traffic to trusted sources only. Employ network segmentation to isolate IoT devices from critical enterprise systems and sensitive data repositories. Monitor network traffic for unusual API requests targeting pet feeder devices and implement anomaly detection to identify potential exploitation attempts. Additionally, enforce strong authentication and authorization mechanisms on IoT management platforms and APIs wherever possible. Regularly audit IoT device configurations and update device credentials to reduce the risk of unauthorized access. Finally, engage with the vendor for security advisories and consider alternative devices if timely remediation is not feasible.