CVE-2025-3654 – This vulnerability allows attackers to retrieve... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to retrieve device hardware information like serial numbers and MAC addresses from Petlibro Smart Pet Feeder devices by exploiting insecure API endpoints. Attackers can use this information to potentially gain full device control without proper authorization. All users of Petlibro Smart Pet Feeder Platform versions up to 1.7.31 are affected.

💻 Affected Systems

Products:

Petlibro Smart Pet Feeder Platform

Versions: up to 1.7.31

Operating Systems: Embedded IoT OS

Default Config Vulnerable: ⚠️ Yes

Notes: All devices using the vulnerable firmware version are affected regardless of configuration.

📦 What is this software?

Petlibro by Petlibro

View all CVEs affecting Petlibro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control over pet feeder devices, allowing them to modify feeding schedules, disable feeding, or access other connected smart home devices.

🟠

Likely Case

Attackers collect device identifiers for tracking, profiling, or preparing for further attacks against the smart home ecosystem.

🟢

If Mitigated

Limited information disclosure with no escalation to device control due to proper network segmentation and API hardening.

🌐 Internet-Facing: HIGH - The vulnerable API endpoints are accessible over the internet, allowing remote exploitation without network access.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but would need network access to reach the devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to the vulnerable endpoint with predictable pet IDs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Contact Petlibro support for firmware updates
2. Check device settings for available updates
3. Apply any available firmware updates immediately

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Petlibro devices on separate VLAN or network segment to limit exposure

API Endpoint Blocking

all

Block access to /device/devicePetRelation/getBoundDevices endpoint at firewall or WAF

🧯 If You Can't Patch

Disconnect devices from internet and use local-only mode if available
Monitor network traffic for suspicious API calls to vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to /device/devicePetRelation/getBoundDevices?petId=1 and check if device information is returned without authentication

Check Version:

Check device firmware version in Petlibro mobile app under device settings

Verify Fix Applied:

Attempt the same request after applying fixes - should return authentication error or no sensitive data

📡 Detection & Monitoring

Log Indicators:

Multiple requests to /device/devicePetRelation/getBoundDevices with different pet IDs
Unauthenticated API calls returning device hardware information

Network Indicators:

HTTP GET requests to vulnerable endpoint from unexpected IP addresses
Traffic patterns showing enumeration of pet IDs

SIEM Query:

source="petlibro" AND uri="/device/devicePetRelation/getBoundDevices" AND response_size>100

📊 Metadata

CVE ID: CVE-2025-3654

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-612

EPSS Score: 0.05% exploit probability (16.3th percentile)

Published: January 4, 2026

Last Updated: February 3, 2026

🔗 References

https://bobdahacker.com/blog/petlibro Product
https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-information-disclosure-via-api-endpoint Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3654, you might also want to check these: