CVE-2025-11648 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Tomofun Furbo 360 and Furbo Mini pet cameras. The vulnerability exists in the GATT Interface URL Handler component, specifically within the TF_FQDN.json file handling. An attacker with network access can manipulate URL parameters through the Bluetooth Low Energy (BLE) interface to force the device to make unauthorized server-side requests, potentially accessing internal resources or pivoting to other systems on the network.
Critical Impact
Remote attackers can exploit the SSRF vulnerability through the BLE GATT interface to force affected Furbo cameras to make arbitrary server-side requests, potentially enabling reconnaissance of internal networks or access to restricted resources.
Affected Products
- Furbo 360 Dog Camera with firmware up to version FB0035_FW_036
- Furbo Mini with firmware up to version MC0020_FW_074
- Furbo 360 Dog Camera Firmware (all versions through affected range)
- Furbo Mini Firmware (all versions through affected range)
Discovery Timeline
- 2025-10-12 - CVE-2025-11648 published to NVD
- 2026-04-29 - Last updated in NVD database
Note: The vendor (Tomofun/Furbo) was contacted early about this disclosure but did not respond.
Technical Details for CVE-2025-11648
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The SSRF condition arises from improper handling of URL parameters within the GATT (Generic Attribute Profile) Interface URL Handler on affected Furbo pet cameras. The vulnerability allows attackers to manipulate the TF_FQDN.json configuration file through BLE interactions, causing the device to initiate requests to attacker-controlled or internal destinations.
IoT devices like smart pet cameras often have limited security controls, making SSRF vulnerabilities particularly concerning as they can be leveraged for network reconnaissance, accessing cloud APIs with device credentials, or reaching otherwise inaccessible internal services.
Root Cause
The root cause of this vulnerability lies in insufficient input validation within the GATT Interface URL Handler. When processing URL parameters from the TF_FQDN.json configuration, the firmware fails to properly sanitize or restrict the destination addresses. This allows an attacker to inject arbitrary URLs that the device will subsequently request on the attacker's behalf, bypassing intended access controls and potentially exposing internal network resources.
Attack Vector
The attack leverages the Bluetooth Low Energy (BLE) GATT interface as the initial access point. An attacker within BLE range can interact with the device's GATT services to modify URL parameters in the TF_FQDN.json configuration. Once modified, the device will make HTTP requests to the attacker-specified endpoints when the affected functionality is triggered.
The exploitation is considered highly complex due to:
- Requirement for BLE proximity to the target device
- Knowledge of specific GATT characteristics and service UUIDs
- Understanding of the proprietary TF_FQDN.json format
The attack vector is network-based (via BLE) but requires no authentication or user interaction once within range. Additional technical details are available in the GitHub SSRF Advisory.
Detection Methods for CVE-2025-11648
Indicators of Compromise
- Unexpected outbound HTTP/HTTPS connections from Furbo camera devices to non-standard destinations
- Anomalous BLE pairing or connection attempts to Furbo devices from unrecognized sources
- Network traffic from the camera to internal IP ranges that should not be accessed
- Unusual DNS queries originating from the pet camera device
Detection Strategies
- Monitor network traffic from IoT devices for connections to unexpected internal or external IP addresses
- Implement network segmentation to isolate IoT devices and alert on cross-segment communication attempts
- Deploy BLE monitoring solutions to detect unauthorized pairing attempts with Furbo cameras
- Review firewall logs for outbound connections from camera devices to non-whitelisted destinations
Monitoring Recommendations
- Place Furbo cameras on an isolated IoT VLAN with strict egress filtering
- Configure network monitoring to baseline normal camera traffic patterns and alert on deviations
- Enable logging of all outbound connections from IoT device network segments
- Consider deploying a BLE intrusion detection system in environments with sensitive assets
How to Mitigate CVE-2025-11648
Immediate Actions Required
- Isolate affected Furbo devices on a dedicated network segment with restricted outbound access
- Disable BLE on Furbo cameras if not required for device operation or setup
- Implement strict firewall rules limiting the camera's outbound connectivity to known Furbo cloud endpoints only
- Monitor for firmware updates from Tomofun that address this vulnerability
Patch Information
As of the last update, Tomofun (the vendor) has not released a security patch for this vulnerability. The vendor was contacted early about the disclosure but did not respond. Users should monitor the official Furbo support channels and mobile application for firmware updates. Firmware versions FB0035_FW_036 (Furbo 360) and MC0020_FW_074 (Furbo Mini) and earlier are confirmed affected.
For additional details, see VulDB #328059.
Workarounds
- Configure network-level restrictions to prevent the camera from accessing internal network resources or unauthorized external endpoints
- Use firewall rules to whitelist only required Furbo cloud service IP addresses and domains for outbound traffic
- Physically secure the device location to minimize BLE attack surface from public or untrusted areas
- Consider disabling the device until an official patch is available if the risk is unacceptable for your environment
# Example: Network isolation using iptables (on a gateway/router)
# Allow only Furbo cloud services and block all other outbound traffic from camera
# Replace FURBO_CAMERA_IP with the actual device IP
FURBO_CAMERA_IP="192.168.1.100"
# Block all outbound traffic from Furbo camera by default
iptables -A FORWARD -s $FURBO_CAMERA_IP -j DROP
# Allow DNS resolution (adjust DNS server as needed)
iptables -I FORWARD -s $FURBO_CAMERA_IP -p udp --dport 53 -j ACCEPT
# Allow HTTPS to known Furbo cloud endpoints (research actual IPs/domains)
# iptables -I FORWARD -s $FURBO_CAMERA_IP -d <FURBO_CLOUD_IP> -p tcp --dport 443 -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
