CVE-2025-11643
Published: 12 October 2025
Summary
CVE-2025-11643 is a medium-severity Use of Hard-coded Password (CWE-259) vulnerability in Furbo Furbo Mini Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-33906
Vulnerability details
A security flaw has been discovered in Tomofun Furbo 360 and Furbo Mini. Affected by this vulnerability is an unknown functionality of the file /squashfs-root/furbo_img of the component MQTT Client Certificate. Performing manipulation results in hard-coded credentials. The attack may…
more
be initiated remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded MQTT client certificates in device firmware enable extraction of unsecured credentials from files (T1552.001), impersonation of valid cloud device accounts on AWS IoT (T1078.004), discovery of cloud accounts via exposed device IDs (T1087.004), and cloud service discovery through subscription to MQTT topics revealing all connected devices and actions (T1526).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Changing default authenticators prior to first use directly prevents use of hard-coded passwords.
Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
Vetting reduces the chance a developer will deliberately insert hard-coded credentials as a backdoor or unauthorized access mechanism.
Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.