CVE-2025-11635 – The Tomofun Furbo 360 pet camera has a file upl... (How to Fix)

Q: What is the severity of CVE-2025-11635?

CVE-2025-11635 has a CVSS score of 4.3 (MEDIUM). The Tomofun Furbo 360 pet camera has a file upload vulnerability that allows attackers to cause resource consumption (denial of service) through remote exploitation. This affects all devices running firmware up to version FB0035_FW_036. The vulnerability is in the file upload component, though specific details are limited.

📋 TL;DR

The Tomofun Furbo 360 pet camera has a file upload vulnerability that allows attackers to cause resource consumption (denial of service) through remote exploitation. This affects all devices running firmware up to version FB0035_FW_036. The vulnerability is in the file upload component, though specific details are limited.

💻 Affected Systems

Products:

Tomofun Furbo 360

Versions: All versions up to FB0035_FW_036

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with vulnerable firmware are affected regardless of configuration.

📦 What is this software?

Furbo 360 Dog Camera Firmware by Furbo

View all CVEs affecting Furbo 360 Dog Camera Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device unavailability due to resource exhaustion, potentially requiring physical reset or factory restoration.

🟠

Likely Case

Temporary service degradation or device unresponsiveness until resource consumption subsides.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring in place.

🌐 Internet-Facing: HIGH - Remote exploitation is possible, making internet-facing devices particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal network access still allows exploitation, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Specific exploitation details are not publicly available. The vulnerability requires understanding of the file upload mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware newer than FB0035_FW_036

Vendor Advisory: Not available - vendor did not respond to disclosure

Restart Required: Yes

Instructions:

1. Check current firmware version in Furbo app. 2. If version is FB0035_FW_036 or older, update to latest firmware through the Furbo app. 3. Restart device after update completes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Furbo devices on separate VLAN or network segment to limit attack surface

Disable Remote Access

all

Turn off internet connectivity for the device if local-only operation is acceptable

🧯 If You Can't Patch

Monitor device resource usage and responsiveness for signs of attack
Implement strict firewall rules to limit connections to the device

🔍 How to Verify

Check if Vulnerable:

Check firmware version in Furbo mobile app under device settings. If version is FB0035_FW_036 or lower, device is vulnerable.

Check Version:

Not applicable - version check only available through Furbo mobile app interface

Verify Fix Applied:

Confirm firmware version in Furbo app shows version newer than FB0035_FW_036.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload activity
Device resource exhaustion alerts
Multiple failed connection attempts

Network Indicators:

Abnormal traffic patterns to device file upload endpoints
Unusual volume of small file uploads

SIEM Query:

Not available - specific endpoint patterns not disclosed

📊 Metadata

CVE ID: CVE-2025-11635

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-400

EPSS Score: 0.09% exploit probability (26.4th percentile)

Published: October 12, 2025

Last Updated: October 30, 2025

🔗 References

https://vuldb.com/?ctiid.328046 Permissions Required,VDB Entry
https://vuldb.com/?id.328046 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.661354 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11635, you might also want to check these: