CVE-2025-11647

A flaw has been found in Tomofun Furbo 360 and Furbo Mini. This issue affects some unknown processing of the component GATT Service. This manipulation of the argument DeviceToken causes information disclosure. The attack is only possible within the local network. A high degree of complexity is needed for the attack. The exploitability is assessed as difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 3.1 LOW
CVSS v2.0 1.8 LOW

3.1^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

1.8^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:A/AC:H/Au:N/C:P/I:N/A:N

Exploitability : 3.2 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Information-Disclosure-DeviceToken.md
https://vuldb.com/?ctiid.328058
https://vuldb.com/?id.328058
https://vuldb.com/?submit.662767
https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Information-Disclosure-DeviceToken.md

Configurations

No configuration.

History

18 Oct 2025, 22:15

Type	Values Removed	Values Added
Summary	(en) A flaw has been found in Tomofun Furbo 360 and Furbo Mini. This issue affects some unknown processing of the component GATT Service. This manipulation of the argument DeviceToken causes information disclosure. The attack is only possible within the local network. A high degree of complexity is needed for the attack. The exploitability is assessed as difficult. The exploit has been published and may be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.	(en) A flaw has been found in Tomofun Furbo 360 and Furbo Mini. This issue affects some unknown processing of the component GATT Service. This manipulation of the argument DeviceToken causes information disclosure. The attack is only possible within the local network. A high degree of complexity is needed for the attack. The exploitability is assessed as difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.

14 Oct 2025, 14:15

Type	Values Removed	Values Added
References	~~() https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Information-Disclosure-DeviceToken.md -~~	() https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Information-Disclosure-DeviceToken.md -

12 Oct 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-12 22:15

Updated : 2025-10-18 22:15

NVD link : CVE-2025-11647

Mitre link : CVE-2025-11647

CVE.ORG link : CVE-2025-11647

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-284

Improper Access Control

3.1 /10

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

1.8 /10

Access Vector ADJACENT_NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2025-11647

3.1^/10

1.8^/10

Attach tags to `CVE-2025-11647`