Cyber Resilience

CVE-2024-36556

Critical

Published: 06 February 2025

Published
06 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0011 28.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36556 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Diva Portal (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-36556 is a hardcoded password vulnerability (CWE-798) affecting two specific firmware versions of children's smartwatches: Forever KidsWatch Call Me KW50 running R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW60 running R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b. Published on 2025-02-06, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high-impact unauthorized access.

Remote attackers require no privileges, authentication, or user interaction to exploit this over the network with low complexity. Successful exploitation enables high confidentiality and integrity impacts, such as accessing sensitive data on the device or modifying its functions, while availability remains unaffected.

The provided reference points to a document titled "Exploiting Vulnerabilities to Remotely Hijack Children’s Smartwatches" hosted on diva-portal.org, which discusses research into such flaws but does not detail specific patches or mitigation steps from official advisories.

This vulnerability underscores risks in IoT devices targeted at children, with the reference indicating academic exploration of remote hijacking techniques.

EU & UK References

Vulnerability details

Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Hardcoded password (CWE-798) directly provides valid default credentials for remote authentication (T1078.001) and represents unsecured credentials stored in device firmware (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-36538Shared CWE-798
CVE-2026-23781Shared CWE-798
CVE-2025-30122Shared CWE-798
CVE-2026-29119Shared CWE-798
CVE-2026-24346Shared CWE-798
CVE-2024-46433Shared CWE-798
CVE-2025-26410Shared CWE-798
CVE-2025-55263Shared CWE-798
CVE-2020-37135Shared CWE-798
CVE-2026-27785Shared CWE-798

Affected Assets

Diva Portal
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates management of authenticators including prohibition of hardcoded passwords, directly preventing remote unauthorized access to the vulnerable smartwatch firmware.

detectrespond

SI-2 requires timely identification, reporting, and remediation of flaws like the hardcoded password in CVE-2024-36556 firmware versions.

prevent

CM-6 enforces restrictive and documented configuration settings for system components, mitigating hardcoded credentials embedded in device firmware.

References