CVE-2025-11648 | Tomofun Furbo 360/Furbo Mini GATT Interface URL TF_FQDN.json server-side request forgery

A vulnerability labeled as critical has been found in Tomofun Furbo 360 and Furbo Mini. Impacted is an unknown function of the file TF_FQDN.json of the component GATT Interface URL Handler. Such manipulation leads to server-side request forgery.

This vulnerability is listed as CVE-2025-11648. The attack may be performed from remote. In addition, an exploit is available.

The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.VulDB Recent EntriesRead More