A high-severity vulnerability has been discovered in Tomofun Furbo 360 and Furbo Mini smart pet cameras. Successful exploitation could allow an unauthorized attacker to gain access to the device's camera and microphone, posing a significant risk to user privacy and security. Immediate application of vendor-provided security updates is required to mitigate this threat.

The vulnerability is an authentication bypass in the device's network service API. An unauthenticated attacker on the same local network can send a specially crafted request to the device, which improperly validates the session token. This flaw allows the attacker to gain unauthorized access to administrative functions, including the ability to view the live video stream, listen through the microphone, and potentially activate other device features.

This vulnerability is rated as High severity with a CVSS score of 7. Exploitation of this flaw could lead to a severe breach of privacy, allowing attackers to conduct surveillance within a home or office environment. For an organization, this could result in the exposure of sensitive conversations, compromise of physical security by allowing attackers to monitor employee presence, and significant reputational damage. The direct impact on confidentiality is high, as private audio and video feeds could be intercepted.

Immediate Action: Immediately apply the security updates released by Tomofun to all affected Furbo devices. Firmware updates can typically be initiated through the product's companion mobile application. After patching, review device access logs for any connections from unrecognized IP addresses or unusual activity that occurred prior to the update.

Proactive Monitoring: Monitor network traffic for anomalous patterns originating from or directed to the Furbo devices. Specifically, look for an increase in connection attempts or data transmission to unknown endpoints. If possible, enable and centralize device logs to monitor for unauthorized access events or unexpected reboots.

Compensating Controls: If patching cannot be performed immediately, isolate the Furbo devices on a dedicated, restricted network segment or VLAN. This network should not have access to sensitive corporate or personal systems, limiting an attacker's ability to move laterally from a compromised camera.

Public Exploit Available: false

Given the high severity of this vulnerability and the profound privacy implications of a compromised camera and microphone, we strongly recommend that all users of affected Tomofun products prioritize the immediate installation of the vendor-supplied security updates. While this vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for abuse is significant. Organizations should ensure all company-managed or employee home-use devices connecting to corporate resources are inventoried and patched to prevent potential surveillance and breaches of confidentiality.