CVE-2024-36556

CVE-2024-36556 is a hardcoded password vulnerability (CWE-798) affecting two specific firmware versions of children's smartwatches: Forever KidsWatch Call Me KW50 running R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW60 running R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b. Published on 2025-02-06, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high-impact unauthorized access.

Remote attackers require no privileges, authentication, or user interaction to exploit this over the network with low complexity. Successful exploitation enables high confidentiality and integrity impacts, such as accessing sensitive data on the device or modifying its functions, while availability remains unaffected.

The provided reference points to a document titled "Exploiting Vulnerabilities to Remotely Hijack Children’s Smartwatches" hosted on diva-portal.org, which discusses research into such flaws but does not detail specific patches or mitigation steps from official advisories.

This vulnerability underscores risks in IoT devices targeted at children, with the reference indicating academic exploration of remote hijacking techniques.