CVE-2025-3654

MediumPublic PoC

Published: 04 January 2026

Published

04 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0007 20.6th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3654 is a medium-severity Improper Authorization of Index Containing Sensitive Information (CWE-612) vulnerability in Petlibro Petlibro. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1082 System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

attack.mitre.org →

Why these techniques?

Direct exploitation of unauthenticated public API endpoint for device info disclosure (T1190); enables unauthorized system/hardware information gathering (T1082) that leads to device control.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through /device/devicePetRelation/getBoundDevices using pet…

IDs, enabling full device control without proper authorization checks.

Deeper analysisAI

CVE-2025-3654 is an information disclosure vulnerability affecting the Petlibro Smart Pet Feeder Platform in versions up to 1.7.31. The flaw stems from insecure API endpoints that lack proper authorization checks, allowing unauthorized access to sensitive device hardware information. Specifically, attackers can exploit the /device/devicePetRelation/getBoundDevices endpoint by providing pet IDs to retrieve device serial numbers and MAC addresses. The vulnerability has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and is associated with CWE-612.

Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges. By obtaining device serial numbers and MAC addresses, attackers gain the ability to achieve full control over the affected devices without further authentication, potentially enabling unauthorized feeding schedules, settings changes, or other manipulations of the smart pet feeder.

For mitigation details, security practitioners should consult the referenced advisories, including https://bobdahacker.com/blog/petlibro and https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-information-disclosure-via-api-endpoint, which were published alongside the CVE on 2026-01-04.

Details

CWE(s): CWE-612

Affected Products

petlibro

≤ 1.7.31

CVEs Like This One

CVE-2025-3660Same product: Petlibro Petlibro

CVE-2025-3653Same product: Petlibro Petlibro

CVE-2025-3646Same product: Petlibro Petlibro

CVE-2025-15115Same product: Petlibro Petlibro

CVE-2019-25605Shared CWE-612

References

https://bobdahacker.com/blog/petlibro
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-information-disclosure-via-api-endpoint
Third Party Advisory · disclosure@vulncheck.com