CVE-2024-36555

CVE-2024-36555 affects the built-in SMS-configuration command in two specific firmware versions of children's smartwatches: Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b. Classified under CWE-306 (Missing Authentication for Critical Function), the vulnerability enables unauthorized modification of the device's IMEI number, allowing attackers to forge the device's identity on cellular networks. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.

Any remote attacker can exploit this vulnerability without authentication, privileges, or user interaction by leveraging the unauthenticated SMS-configuration command. Successful exploitation allows changing the IMEI number, enabling device identity forgery, which could facilitate impersonation in network communications or tracking systems.

The sole reference points to a DIVA portal record titled "Exploiting Vulnerabilities to Remotely Hijack Children’s Smartwatches," which details the issue but provides no explicit mitigation steps, patches, or vendor advisories in the available information. Security practitioners should isolate affected devices and monitor for unauthorized SMS commands until firmware updates are confirmed.