CVE-2024-36553
Published: 06 February 2025
Summary
CVE-2024-36553 is a high-severity Channel Accessible by Non-Endpoint (CWE-300) vulnerability in Diva Portal (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2024-36553 is a Man-in-the-Middle (MITM) vulnerability affecting the Forever KidsWatch Call Me KW-50 device with firmware version R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h. Mapped to CWE-300 (Channel Accessible by Non-Endpoint), it earned a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), highlighting its high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.
Any remote attacker without privileges can exploit this vulnerability over the network, provided they induce user interaction. Successful MITM interception enables high confidentiality and integrity violations, such as eavesdropping on or tampering with device communications, potentially leading to remote hijacking of the children's smartwatch.
A referenced research document details exploitation techniques for remotely hijacking children's smartwatches but provides no specific advisories, patches, or mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5056
Vulnerability details
Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h is vulnerable to MITM attack.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes a MITM vulnerability (CWE-300) enabling interception/tampering of device comms, mapping to T1557 Adversary-in-the-Middle.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces confidentiality and integrity protections on network transmissions to prevent MITM interception and tampering exploited in this CVE.
Protects the authenticity of communications sessions to block MITM attacks that enable remote hijacking of the vulnerable KidsWatch device.
Implements cryptographic mechanisms to secure the communication channel accessible by non-endpoints, comprehensively addressing the CWE-300 vulnerability.