Cyber Resilience

CVE-2024-36558

High

Published: 06 February 2025

Published
06 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0005 17.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36558 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Diva Portal (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2024-36558 is a Cleartext Transmission of Sensitive Information vulnerability (CWE-319) affecting the Forever KidsWatch Call Me KW-50 device with firmware version R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h. The issue stems from the absence of encryption in communication between the device and its server, allowing sensitive data to be transmitted in plaintext. Published on 2025-02-06, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality impact.

Remote attackers with network access can exploit this vulnerability without authentication, privileges, user interaction, or special complexity. By intercepting traffic between the device and server, they can capture sensitive information transmitted in cleartext, potentially including location data, user identifiers, or other personal details from the children's smartwatch.

The sole reference points to a document on the DIVA portal titled "Exploiting Vulnerabilities to Remotely Hijack Children’s Smartwatches," which discusses vulnerabilities in such devices but provides no specific details on advisories, patches, or mitigation steps in the available information.

EU & UK References

Vulnerability details

Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h suffers from Cleartext Transmission of Sensitive Information due to lack of encryption in device-server communication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
Why these techniques?

Cleartext transmission of sensitive data (location, identifiers) between device and server directly enables passive network sniffing to capture information without encryption or authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23661Shared CWE-319
CVE-2025-13718Shared CWE-319
CVE-2025-70048Shared CWE-319
CVE-2024-44276Shared CWE-319
CVE-2025-69272Shared CWE-319
CVE-2024-42181Shared CWE-319
CVE-2026-30795Shared CWE-319
CVE-2026-30796Shared CWE-319
CVE-2025-67159Shared CWE-319
CVE-2026-22271Shared CWE-319

Affected Assets

Diva Portal
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-8 mandates cryptographic mechanisms to protect the confidentiality and integrity of information transmitted between the device and server, directly mitigating cleartext transmission of sensitive data.

prevent

SC-13 requires implementation of cryptographic protections to prevent unauthorized disclosure of sensitive information during device-server communications.

prevent

SC-9 specifically enforces confidentiality protections for transmitted sensitive information, addressing the lack of encryption in the vulnerable communications.

References