Security Flaw in Tomofun Furbo 360 and Mini Devices
CVE-2025-11643

6.3MEDIUM

Key Information:

Vendor

Tomofun

Status
Furbo 360
Furbo Mini
Vendor
CVE Published:
12 October 2025

What is CVE-2025-11643?

A security flaw has been identified in the Tomofun Furbo 360 and Furbo Mini, specifically affecting the MQTT Client Certificate functionality. This vulnerability results in the exposure of hard-coded credentials, which can be exploited by an attacker remotely. The issue resides within the file /squashfs-root/furbo_img, and successful exploitation allows unauthorized access to sensitive information. Despite attempts to inform the vendor regarding this security concern, there has been no response to date. Users of affected firmware versions should take immediate action to secure their devices.

Affected Version(s)

Furbo 360

Furbo Mini

References

https://vuldb.com/?id.328054
vdb-entry
https://vuldb.com/?ctiid.328054
signaturepermissions-required
https://vuldb.com/?submit.661875
third-party-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

jTag Labs (VulDB User)
JSON
.
CVE-2025-11643 : Security Flaw in Tomofun Furbo 360 and Mini Devices