Insecure Storage Vulnerability in Tomofun Furbo Mobile App for Android Devices
CVE-2025-11645

2.4LOW

Key Information:

Vendor

Tomofun

Status
Furbo Mobile App
Vendor
CVE Published:
12 October 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-11645?

A security vulnerability has been identified in the Tomofun Furbo Mobile App for Android, specifically in the Authentication Token Handler component. This vulnerability permits the insecure storage of sensitive user information, which can be exploited locally on the device. The potential attack vector has been disclosed publicly, raising concerns for users. Despite attempts to contact the vendor regarding this issue, there has been no acknowledgment or response from Tomofun.

Affected Version(s)

Furbo Mobile App 7.57.0a

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-11645 - Proof of Concept

References

https://vuldb.com/?id.328056
vdb-entry
https://vuldb.com/?ctiid.328056
signaturepermissions-required
https://vuldb.com/?submit.661899
third-party-advisory

CVSS V4

Score:
2.4
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Physical
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

jTag Labs (VulDB User)
JSON
.
CVE-2025-11645 : Insecure Storage Vulnerability in Tomofun Furbo Mobile App for Android Devices