Cyber Resilience

CVE-2024-36553

High

Published: 06 February 2025

Published
06 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0009 26.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36553 is a high-severity Channel Accessible by Non-Endpoint (CWE-300) vulnerability in Diva Portal (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2024-36553 is a Man-in-the-Middle (MITM) vulnerability affecting the Forever KidsWatch Call Me KW-50 device with firmware version R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h. Mapped to CWE-300 (Channel Accessible by Non-Endpoint), it earned a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), highlighting its high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

Any remote attacker without privileges can exploit this vulnerability over the network, provided they induce user interaction. Successful MITM interception enables high confidentiality and integrity violations, such as eavesdropping on or tampering with device communications, potentially leading to remote hijacking of the children's smartwatch.

A referenced research document details exploitation techniques for remotely hijacking children's smartwatches but provides no specific advisories, patches, or mitigation guidance.

EU & UK References

Vulnerability details

Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h is vulnerable to MITM attack.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

CVE directly describes a MITM vulnerability (CWE-300) enabling interception/tampering of device comms, mapping to T1557 Adversary-in-the-Middle.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-12602Shared CWE-300
CVE-2023-38272Shared CWE-300

Affected Assets

Diva Portal
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces confidentiality and integrity protections on network transmissions to prevent MITM interception and tampering exploited in this CVE.

prevent

Protects the authenticity of communications sessions to block MITM attacks that enable remote hijacking of the vulnerable KidsWatch device.

prevent

Implements cryptographic mechanisms to secure the communication channel accessible by non-endpoints, comprehensively addressing the CWE-300 vulnerability.

References