CVE-2025-3653

HighPublic PoC

Published: 04 January 2026

Published

04 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0008 22.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3653 is a high-severity Improper Authorization of Index Containing Sensitive Information (CWE-612) vulnerability in Petlibro Petlibro. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Improper access control in public platform APIs directly enables remote exploitation of an internet-facing application for unauthorized device control.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device control…

APIs to change feeding schedules, trigger manual feeds, access camera feeds, and modify device settings without authorization checks.

Deeper analysisAI

CVE-2025-3653, published on 2026-01-04, is an improper access control vulnerability (CWE-612) in the Petlibro Smart Pet Feeder Platform versions up to 1.7.31. The issue stems from the platform accepting arbitrary serial numbers without ownership verification, allowing unauthorized manipulation of devices through control APIs.

The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), making it exploitable remotely over the network with low complexity and no privileges or user interaction required. Attackers can send arbitrary serial numbers to the device control APIs, enabling full unauthorized control of any targeted device, including changing feeding schedules, triggering manual feeds, accessing camera feeds, and modifying device settings.

Advisories detailing the vulnerability, including mitigation guidance, are available from VulnCheck at https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-through-platform-improper-access-control-via-api-endpoint and additional analysis at https://bobdahacker.com/blog/petlibro.

Details

CWE(s): CWE-612

Affected Products

petlibro

≤ 1.7.31

CVEs Like This One

CVE-2025-3660Same product: Petlibro Petlibro

CVE-2025-3654Same product: Petlibro Petlibro

CVE-2025-3646Same product: Petlibro Petlibro

CVE-2025-15115Same product: Petlibro Petlibro

CVE-2019-25605Shared CWE-612

References

https://bobdahacker.com/blog/petlibro
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-through-platform-improper-access-control-via-api-endpoint
Third Party Advisory · disclosure@vulncheck.com