Vulnerability in Tomofun Furbo 360 and Furbo Mini Root Account Handler
CVE-2025-11649

7.3HIGH

Key Information:

Vendor

Tomofun

Status
Furbo 360
Furbo Mini
Vendor
CVE Published:
12 October 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-11649?

A hard-coded password vulnerability exists in the Root Account Handler of Tomofun Furbo 360 and Furbo Mini devices. This flaw allows unauthorized local access through manipulation of the affected components. The complexity of the attack is considered high, and while the exploit has been made public, its effective execution requires specific conditions to be met. The affected firmware versions include Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Users should be aware of this issue, as it poses a notable risk to device security.

Affected Version(s)

Furbo 360

Furbo Mini

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-11649 - Proof of Concept

References

https://vuldb.com/?id.328060
vdb-entry
https://vuldb.com/?ctiid.328060
signaturepermissions-required
https://vuldb.com/?submit.662769
third-party-advisory

CVSS V4

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

jTag Labs (VulDB User)
JSON
.
CVE-2025-11649 : Vulnerability in Tomofun Furbo 360 and Furbo Mini Root Account Handler