CVE-2025-3654
Published: 04 January 2026
Summary
CVE-2025-3654 is a medium-severity Improper Authorization of Index Containing Sensitive Information (CWE-612) vulnerability in Petlibro Petlibro. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-3654 is an information disclosure vulnerability affecting the Petlibro Smart Pet Feeder Platform in versions up to 1.7.31. The flaw stems from insecure API endpoints that lack proper authorization checks, allowing unauthorized access to sensitive device hardware information. Specifically, attackers can exploit the /device/devicePetRelation/getBoundDevices endpoint by providing pet IDs to retrieve device serial numbers and MAC addresses. The vulnerability has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and is associated with CWE-612.
Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges. By obtaining device serial numbers and MAC addresses, attackers gain the ability to achieve full control over the affected devices without further authentication, potentially enabling unauthorized feeding schedules, settings changes, or other manipulations of the smart pet feeder.
For mitigation details, security practitioners should consult the referenced advisories, including https://bobdahacker.com/blog/petlibro and https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-information-disclosure-via-api-endpoint, which were published alongside the CVE on 2026-01-04.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0784
Vulnerability details
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through /device/devicePetRelation/getBoundDevices using pet…
more
IDs, enabling full device control without proper authorization checks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of unauthenticated public API endpoint for device info disclosure (T1190); enables unauthorized system/hardware information gathering (T1082) that leads to device control.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on API endpoints such as /device/devicePetRelation/getBoundDevices to block unauthenticated retrieval of device serial/MAC data.
Requires that only the minimum privileges needed to query pet-device relations are granted, eliminating the anonymous access path described in the CVE.
Provides dedicated monitoring of attempts to obtain sensitive device hardware information through insecure endpoints, enabling detection of the described disclosure.