Cyber Resilience

CVE-2025-11643

Medium

Published: 12 October 2025

Published
12 October 2025
Modified
29 October 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 17.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11643 is a medium-severity Use of Hard-coded Password (CWE-259) vulnerability in Furbo Furbo Mini Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A security flaw has been discovered in Tomofun Furbo 360 and Furbo Mini. Affected by this vulnerability is an unknown functionality of the file /squashfs-root/furbo_img of the component MQTT Client Certificate. Performing manipulation results in hard-coded credentials. The attack may…

more

be initiated remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1087.004 Cloud Account Discovery
Adversaries may attempt to get a listing of cloud accounts.
T1526 Cloud Service Discovery Discovery
An adversary may attempt to enumerate the cloud services running on a system after gaining access.
Why these techniques?

Hard-coded MQTT client certificates in device firmware enable extraction of unsecured credentials from files (T1552.001), impersonation of valid cloud device accounts on AWS IoT (T1078.004), discovery of cloud accounts via exposed device IDs (T1087.004), and cloud service discovery through subscription to MQTT topics revealing all connected devices and actions (T1526).

Affected Assets

furbo
furbo mini firmware
≤ 074
furbo
furbo 360 dog camera firmware
≤ 036

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-259 CWE-798

Changing default authenticators prior to first use directly prevents use of hard-coded passwords.

addresses: CWE-798 CWE-259

Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.

addresses: CWE-798 CWE-259

Vetting reduces the chance a developer will deliberately insert hard-coded credentials as a backdoor or unauthorized access mechanism.

addresses: CWE-798 CWE-259

Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-798

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

addresses: CWE-798

External identity providers eliminate the need for hard-coded credentials in applications.

References