CVE-2024-36553

High

Published: 06 February 2025

Published

06 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0009 26.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36553 is a high-severity Channel Accessible by Non-Endpoint (CWE-300) vulnerability in Diva Portal (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-8 Transmission Confidentiality and Integrity good match

prevent

Directly enforces confidentiality and integrity protections on network transmissions to prevent MITM interception and tampering exploited in this CVE.

SC-23 Session Authenticity good match

prevent

Protects the authenticity of communications sessions to block MITM attacks that enable remote hijacking of the vulnerable KidsWatch device.

SC-13 Cryptographic Protection good match

prevent

Implements cryptographic mechanisms to secure the communication channel accessible by non-endpoints, comprehensively addressing the CWE-300 vulnerability.

NVD Description

Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h is vulnerable to MITM attack.

Deeper analysisAI

CVE-2024-36553 is a Man-in-the-Middle (MITM) vulnerability affecting the Forever KidsWatch Call Me KW-50 device with firmware version R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h. Mapped to CWE-300 (Channel Accessible by Non-Endpoint), it earned a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), highlighting its high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

Any remote attacker without privileges can exploit this vulnerability over the network, provided they induce user interaction. Successful MITM interception enables high confidentiality and integrity violations, such as eavesdropping on or tampering with device communications, potentially leading to remote hijacking of the children's smartwatch.

A referenced research document details exploitation techniques for remotely hijacking children's smartwatches but provides no specific advisories, patches, or mitigation guidance.

Details

CWE(s): CWE-300

Affected Products

Diva Portal

—

inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-12602Shared CWE-300

CVE-2023-38272Shared CWE-300

References

https://www.diva-portal.org/smash/record.jsf?aq2=%5B%5B%5D%5D&c=1&af=%5B%5D&searchType=SIMPLE&sortOrder2=title_sort_asc&query=Exploiting+Vulnerabilities+to+Remotely+Hijack+Children%E2%80%99s+Smartwatches&language=en&pid=diva2%3A1933447&aq=%5B%5B%5D%5D&sf=undergraduate&aqe=%5B%5D&sortOrder=author_sort_asc&onlyFullText=false&noOfRows=50&dswid=-8296
cve@mitre.org