CVE-2025-3653
Published: 04 January 2026
Summary
CVE-2025-3653 is a medium-severity Improper Authorization of Index Containing Sensitive Information (CWE-612) vulnerability in Petlibro Petlibro. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).
Deeper analysis
CVE-2025-3653, published on 2026-01-04, is an improper access control vulnerability (CWE-612) in the Petlibro Smart Pet Feeder Platform versions up to 1.7.31. The issue stems from the platform accepting arbitrary serial numbers without ownership verification, allowing unauthorized manipulation of devices through control APIs.
The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), making it exploitable remotely over the network with low complexity and no privileges or user interaction required. Attackers can send arbitrary serial numbers to the device control APIs, enabling full unauthorized control of any targeted device, including changing feeding schedules, triggering manual feeds, accessing camera feeds, and modifying device settings.
Advisories detailing the vulnerability, including mitigation guidance, are available from VulnCheck at https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-through-platform-improper-access-control-via-api-endpoint and additional analysis at https://bobdahacker.com/blog/petlibro.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0786
Vulnerability details
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device control…
more
APIs to change feeding schedules, trigger manual feeds, access camera feeds, and modify device settings without authorization checks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control in public platform APIs directly enables remote exploitation of an internet-facing application for unauthorized device control.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the platform to enforce ownership-based authorization checks before allowing API calls that use serial numbers to manipulate devices.
Requires cryptographic or strong verification of device identifiers (serial numbers) and their binding to legitimate owners before any control actions are accepted.
Mandates that access-control decisions incorporate verified attributes such as device ownership rather than blindly accepting arbitrary serial numbers.