Cyber Resilience

CVE-2025-3646

MediumPublic PoC

Published: 04 January 2026

Published
04 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 9.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-3646 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Petlibro Petlibro. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-3646 is an authorization bypass vulnerability in the Petlibro Smart Pet Feeder Platform versions up to 1.7.31. The flaw arises from missing permission checks in the device share API, allowing unauthorized users to add other users as shared owners to any device. This issue, mapped to CWE-306 (Missing Authentication for Critical Function), carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-01-04.

Any unauthenticated attacker with network access can exploit this vulnerability by sending requests directly to the device share API, bypassing authorization validation. Successful exploitation enables attackers to gain unauthorized access to targeted devices, add themselves or others as shared owners, and view owner information, potentially compromising pet feeder controls and associated user data.

Advisories detailing the vulnerability and mitigation recommendations are available at https://bobdahacker.com/blog/petlibro and https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-authorization-bypass-via-device-share-api.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authorization bypass vulnerability that allows unauthorized users to add users as shared owners to any device by exploiting missing permission checks. Attackers can send requests to the device share…

more

API to gain unauthorized access to devices and view owner information without proper authorization validation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass in public device share API directly enables exploitation of public-facing application for unauthorized access and account manipulation on the platform.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-3660Same product: Petlibro Petlibro
CVE-2025-3653Same product: Petlibro Petlibro
CVE-2025-3654Same product: Petlibro Petlibro
CVE-2025-15115Same product: Petlibro Petlibro
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306

Affected Assets

petlibro
petlibro
≤ 1.7.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the device share API so that only permitted users can add shared owners.

prevent

Requires the system to make and enforce explicit access-control decisions before allowing any share operation on a device.

prevent

Limits privileges so that even authenticated users cannot perform device-owner changes without explicit assignment of the required permission.

References