CVE-2025-11648

Name of the Vulnerable Software and Affected Versions Tomofun Furbo 360 versions prior to FB0035 FW 036 Tomofun Furbo Mini versions prior to MC0020 FW 074

Description A server-side request forgery condition exists in Tomofun Furbo 360 and Furbo Mini due to manipulation of the file TF FQDN.json within the GATT Interface URL Handler component. The attack can be performed remotely and is considered highly complex, with a difficult exploitability. The exploit has been publicly disclosed.

Recommendations Update Tomofun Furbo 360 to version FB0035 FW 036 or later. Update Tomofun Furbo Mini to version MC0020 FW 074 or later.