CVE-2024-36556
Published: 06 February 2025
Summary
CVE-2024-36556 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Diva Portal (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-36556 is a hardcoded password vulnerability (CWE-798) affecting two specific firmware versions of children's smartwatches: Forever KidsWatch Call Me KW50 running R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW60 running R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b. Published on 2025-02-06, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high-impact unauthorized access.
Remote attackers require no privileges, authentication, or user interaction to exploit this over the network with low complexity. Successful exploitation enables high confidentiality and integrity impacts, such as accessing sensitive data on the device or modifying its functions, while availability remains unaffected.
The provided reference points to a document titled "Exploiting Vulnerabilities to Remotely Hijack Children’s Smartwatches" hosted on diva-portal.org, which discusses research into such flaws but does not detail specific patches or mitigation steps from official advisories.
This vulnerability underscores risks in IoT devices targeted at children, with the reference indicating academic exploration of remote hijacking techniques.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5057
Vulnerability details
Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded password (CWE-798) directly provides valid default credentials for remote authentication (T1078.001) and represents unsecured credentials stored in device firmware (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 mandates management of authenticators including prohibition of hardcoded passwords, directly preventing remote unauthorized access to the vulnerable smartwatch firmware.
SI-2 requires timely identification, reporting, and remediation of flaws like the hardcoded password in CVE-2024-36556 firmware versions.
CM-6 enforces restrictive and documented configuration settings for system components, mitigating hardcoded credentials embedded in device firmware.