Cyber Resilience

CVE-2025-3654

MediumPublic PoC

Published: 04 January 2026

Published
04 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-3654 is a medium-severity Improper Authorization of Index Containing Sensitive Information (CWE-612) vulnerability in Petlibro Petlibro. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-3654 is an information disclosure vulnerability affecting the Petlibro Smart Pet Feeder Platform in versions up to 1.7.31. The flaw stems from insecure API endpoints that lack proper authorization checks, allowing unauthorized access to sensitive device hardware information. Specifically, attackers can exploit the /device/devicePetRelation/getBoundDevices endpoint by providing pet IDs to retrieve device serial numbers and MAC addresses. The vulnerability has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and is associated with CWE-612.

Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges. By obtaining device serial numbers and MAC addresses, attackers gain the ability to achieve full control over the affected devices without further authentication, potentially enabling unauthorized feeding schedules, settings changes, or other manipulations of the smart pet feeder.

For mitigation details, security practitioners should consult the referenced advisories, including https://bobdahacker.com/blog/petlibro and https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-information-disclosure-via-api-endpoint, which were published alongside the CVE on 2026-01-04.

EU & UK References

Vulnerability details

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through /device/devicePetRelation/getBoundDevices using pet…

more

IDs, enabling full device control without proper authorization checks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

Direct exploitation of unauthenticated public API endpoint for device info disclosure (T1190); enables unauthorized system/hardware information gathering (T1082) that leads to device control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-3653Same product: Petlibro Petlibro
CVE-2025-3660Same product: Petlibro Petlibro
CVE-2025-3646Same product: Petlibro Petlibro
CVE-2025-15115Same product: Petlibro Petlibro
CVE-2019-25605Shared CWE-612

Affected Assets

petlibro
petlibro
≤ 1.7.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on API endpoints such as /device/devicePetRelation/getBoundDevices to block unauthenticated retrieval of device serial/MAC data.

prevent

Requires that only the minimum privileges needed to query pet-device relations are granted, eliminating the anonymous access path described in the CVE.

detect

Provides dedicated monitoring of attempts to obtain sensitive device hardware information through insecure endpoints, enabling detection of the described disclosure.

References