Cyber Resilience

CVE-2024-36555

Critical

Published: 06 February 2025

Published
06 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36555 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Diva Portal (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-4 (Identifier Management).

Deeper analysis

CVE-2024-36555 affects the built-in SMS-configuration command in two specific firmware versions of children's smartwatches: Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b. Classified under CWE-306 (Missing Authentication for Critical Function), the vulnerability enables unauthorized modification of the device's IMEI number, allowing attackers to forge the device's identity on cellular networks. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.

Any remote attacker can exploit this vulnerability without authentication, privileges, or user interaction by leveraging the unauthenticated SMS-configuration command. Successful exploitation allows changing the IMEI number, enabling device identity forgery, which could facilitate impersonation in network communications or tracking systems.

The sole reference points to a DIVA portal record titled "Exploiting Vulnerabilities to Remotely Hijack Children’s Smartwatches," which details the issue but provides no explicit mitigation steps, patches, or vendor advisories in the available information. Security practitioners should isolate affected devices and monitor for unauthorized SMS commands until firmware updates are confirmed.

EU & UK References

Vulnerability details

Built-in SMS-configuration command in Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allows malicious users to change the device IMEI-number which allows for forging the identity of the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26160Shared CWE-306
CVE-2026-25192Shared CWE-306
CVE-2026-32064Shared CWE-306
CVE-2025-63389Shared CWE-306
CVE-2025-15620Shared CWE-306
CVE-2025-26359Shared CWE-306
CVE-2025-21515Shared CWE-306
CVE-2025-57432Shared CWE-306
CVE-2026-27446Shared CWE-306
CVE-2025-9254Shared CWE-306

Affected Assets

Diva Portal
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 directly prohibits unauthenticated access to critical functions like the SMS-configuration command that enables IMEI modification.

prevent

IA-4 mandates protection of system identifiers such as IMEI from unauthorized modification, preventing device identity forgery.

prevent

IA-3 requires unique device identification and authentication, mitigating the effects of IMEI forgery on network communications.

References