Insecure Storage Vulnerability in Tomofun Furbo Devices
CVE-2025-11639

4.8MEDIUM

Key Information:

Vendor

Tomofun

Status
Furbo 360
Furbo Mini
Vendor
CVE Published:
12 October 2025

What is CVE-2025-11639?

A vulnerability exists in the Tomofun Furbo 360 and Furbo Mini, related to the collect_logs.sh function within the Debug Log S3 Bucket Handler. This flaw allows for the insecure storage of sensitive information, posing a risk to user data security. The affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Local access is required to exploit this issue. Despite early disclosure attempts, the vendor has not responded to outreach regarding this vulnerability.

Affected Version(s)

Furbo 360

Furbo Mini

References

https://vuldb.com/?id.328050
vdb-entry
https://vuldb.com/?ctiid.328050
signaturepermissions-required
https://vuldb.com/?submit.661364
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

jTag Labs (VulDB User)
JSON
.
CVE-2025-11639 : Insecure Storage Vulnerability in Tomofun Furbo Devices