CVE-2025-11638 – A vulnerability in Tomofun Furbo 360 and Furbo ... (How to Fix)

Q: What is the severity of CVE-2025-11638?

CVE-2025-11638 has a CVSS score of 4.3 (MEDIUM). A vulnerability in Tomofun Furbo 360 and Furbo Mini pet cameras allows attackers on the same local network to cause denial of service by exploiting an unknown function in the Bluetooth Handler component. This affects all users with vulnerable firmware versions, potentially disrupting camera functionality. The vendor has not responded to disclosure attempts.

📋 TL;DR

A vulnerability in Tomofun Furbo 360 and Furbo Mini pet cameras allows attackers on the same local network to cause denial of service by exploiting an unknown function in the Bluetooth Handler component. This affects all users with vulnerable firmware versions, potentially disrupting camera functionality. The vendor has not responded to disclosure attempts.

💻 Affected Systems

Products:

Tomofun Furbo 360
Tomofun Furbo Mini

Versions: Furbo 360 up to FB0035_FW_036, Furbo Mini up to MC0020_FW_074

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with vulnerable firmware are affected when Bluetooth is enabled. No special configuration required for exploitation.

📦 What is this software?

Furbo 360 Dog Camera Firmware by Furbo

View all CVEs affecting Furbo 360 Dog Camera Firmware →

Furbo Mini Firmware by Furbo

View all CVEs affecting Furbo Mini Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Permanent device bricking requiring hardware replacement, complete loss of camera functionality including monitoring and treat dispensing capabilities.

🟠

Likely Case

Temporary device crash requiring manual reboot, interrupting live streaming and notifications for pet monitoring.

🟢

If Mitigated

Minimal impact with proper network segmentation preventing local network access to vulnerable devices.

🌐 Internet-Facing: LOW - Attack requires local network access, not directly exploitable from the internet.

🏢 Internal Only: MEDIUM - Attackers on the same local network can exploit this vulnerability to disrupt device functionality.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to be on the same local network and have knowledge of Bluetooth manipulation techniques. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Furbo 360: FB0035_FW_037+, Furbo Mini: MC0020_FW_075+

Vendor Advisory: Not available - vendor did not respond to disclosure

Restart Required: No

Instructions:

1. Open Furbo mobile app 2. Navigate to device settings 3. Check for firmware updates 4. Apply any available updates 5. Verify firmware version after update

🔧 Temporary Workarounds

Disable Bluetooth

all

Turn off Bluetooth functionality on affected devices to prevent exploitation via Bluetooth Handler

Use Furbo mobile app: Settings > Device Settings > Bluetooth > Disable

Network Segmentation

all

Isolate Furbo devices on separate VLAN or network segment to prevent local network access

🧯 If You Can't Patch

Physically disconnect device when not in use for monitoring
Implement strict network access controls to limit which devices can communicate with Furbo cameras

🔍 How to Verify

Check if Vulnerable:

Check firmware version in Furbo mobile app: Settings > Device Info > Firmware Version

Check Version:

Not applicable - use mobile app interface

Verify Fix Applied:

Confirm firmware version is above vulnerable ranges: Furbo 360: FB0035_FW_037+, Furbo Mini: MC0020_FW_075+

📡 Detection & Monitoring

Log Indicators:

Device reboot logs
Bluetooth connection failures
Unexpected Bluetooth pairing attempts

Network Indicators:

Unusual Bluetooth traffic patterns
Multiple connection attempts to Furbo devices

SIEM Query:

Not applicable - device logs not typically integrated with enterprise SIEM systems

📊 Metadata

CVE ID: CVE-2025-11638

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-404

EPSS Score: 0.1% exploit probability (28th percentile)

Published: October 12, 2025

Last Updated: October 30, 2025

🔗 References

https://vuldb.com/?ctiid.328049 Permissions Required,VDB Entry
https://vuldb.com/?id.328049 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.661363 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11638, you might also want to check these: