CVE-2024-36558

CVE-2024-36558 is a Cleartext Transmission of Sensitive Information vulnerability (CWE-319) affecting the Forever KidsWatch Call Me KW-50 device with firmware version R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h. The issue stems from the absence of encryption in communication between the device and its server, allowing sensitive data to be transmitted in plaintext. Published on 2025-02-06, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality impact.

Remote attackers with network access can exploit this vulnerability without authentication, privileges, user interaction, or special complexity. By intercepting traffic between the device and server, they can capture sensitive information transmitted in cleartext, potentially including location data, user identifiers, or other personal details from the children's smartwatch.

The sole reference points to a document on the DIVA portal titled "Exploiting Vulnerabilities to Remotely Hijack Children’s Smartwatches," which discusses vulnerabilities in such devices but provides no specific details on advisories, patches, or mitigation steps in the available information.