CVE-2025-11644 | THREATINT

Description

A weakness has been identified in Tomofun Furbo 360 and Furbo Mini. Affected by this issue is some unknown functionality of the component UART Interface. Executing manipulation can lead to insecure storage of sensitive information. The physical device can be targeted for the attack. This attack is characterized by high complexity. The exploitation is known to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.

In Tomofun Furbo 360 and Furbo Mini ist eine Schwachstelle entdeckt worden. Davon betroffen ist unbekannter Code der Komponente UART Interface. Durch das Manipulieren mit unbekannten Daten kann eine insecure storage of sensitive information-Schwachstelle ausgenutzt werden. Es ist möglich, den Angriff auf das physische Gerät durchzuführen. Ein Angriff erfordert eine vergleichsweise hohe Komplexität. Sie gilt als schwierig ausnutzbar.

PUBLISHED Reserved 2025-10-11 | Published 2025-10-12 | Updated 2025-10-18 | Assigner VulDB

LOW: 1.0CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

LOW: 2.0CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R

LOW: 2.0CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R

1.2AV:L/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR

Problem types

Insecure Storage of Sensitive Information

Information Disclosure

Product status

Any version

affected

Any version

affected

Timeline

2025-05-15:	Vulnerability found
2025-06-21:	Vendor informed
2025-07-03:	Vendor acknowledged
2025-10-11:	Advisory disclosed
2025-10-11:	VulDB entry created
2025-10-18:	VulDB entry last update

Credits

Calvin Star (Software Secured) finder

Julian B (Software Secured) finder

jTag Labs (VulDB User) reporter

jTag Labs (VulDB User) analyst

References

github.com/...ge of Sensitve Information - CVE-2025-XXXXX.md exploit

github.com/...age of Sensitve Information - CVE-2025-XXXX.md exploit

vuldb.com/?id.328055 (VDB-328055 | Tomofun Furbo 360/Furbo Mini UART sensitive information) vdb-entry technical-description

vuldb.com/?ctiid.328055 (VDB-328055 | CTI Indicators (IOB, IOC, TTP)) signature permissions-required

vuldb.com/?submit.661878 (Submit #661878 | Tomofun Furbo 360, Furbo Mini Furbo 360 (≤ FB0035_FW_036), Furbo Mini (≤ MC0020_FW_074) Insecure Storage of Sensitive Information) third-party-advisory

vuldb.com/?submit.661879 (Submit #661879 | Tomofun Furbo 360, Furbo Mini Furbo 360 (≤ FB0035_FW_036), Furbo Mini (≤ MC0020_FW_074) Insecure Storage of Sensitive Information (Duplicate)) third-party-advisory

github.com/...ge of Sensitve Information - CVE-2025-XXXXX.md related

github.com/...age of Sensitve Information - CVE-2025-XXXX.md exploit

cve.org (CVE-2025-11644)

nvd.nist.gov (CVE-2025-11644)

Download JSON