CVE-2026-0842 identifies a security vulnerability in Flycatcher Toys smART Sketcher version 2.0, specifically within its Bluetooth Low Energy (BLE) interface. The vulnerability arises due to missing authentication controls in the BLE communication component, allowing an attacker on the same local network to interact with the device without any authentication or user interaction. This lack of authentication means that an attacker can potentially send unauthorized commands or manipulate the device’s behavior remotely over BLE. The attack vector is limited to local network access, which restricts exploitation to attackers physically or logically close to the victim device. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact and ease of exploitation without privileges or user interaction. The vendor was notified early but has not issued any patches or advisories, and no official remediation is currently available. The exploit details have been published publicly, increasing the risk of exploitation. The vulnerability could lead to unauthorized control over the toy, potentially impacting the confidentiality and integrity of data exchanged or stored by the device. The absence of authentication in BLE communications is a critical design flaw that undermines the security of the device in local network environments.

The primary impact of CVE-2026-0842 is unauthorized access and control over the Flycatcher Toys smART Sketcher device via its BLE interface. This could allow attackers to manipulate device functions, potentially causing unexpected behavior or data leakage. For consumers, this may lead to privacy violations or safety concerns, especially if the toy collects or transmits sensitive information. For organizations such as schools, daycare centers, or retail environments using these devices, the vulnerability could be exploited to disrupt operations or gain a foothold in local networks. Although the attack requires local network access, environments with weak network segmentation or guest Wi-Fi access are particularly vulnerable. The lack of vendor response and absence of patches prolong the exposure window, increasing the risk of exploitation. While no active exploits are reported in the wild, the public availability of exploit code raises the likelihood of opportunistic attacks. Overall, the vulnerability undermines trust in IoT devices used by children and families and highlights the importance of secure BLE implementations.

1. Restrict local network access to the Flycatcher Toys smART Sketcher devices by implementing strong network segmentation and access controls, isolating IoT devices from critical infrastructure. 2. Disable Bluetooth functionality on the device when not in use to minimize the attack surface. 3. Monitor local network traffic for unusual BLE activity or unauthorized connection attempts targeting the device. 4. Educate users and administrators about the risks of connecting these devices to untrusted networks, especially public or guest Wi-Fi. 5. If possible, replace affected devices with newer models or alternatives that implement proper BLE authentication. 6. Advocate for vendor engagement and request official patches or firmware updates to address the authentication flaw. 7. Employ BLE security best practices in the environment, such as using BLE pairing with authentication and encryption where supported. 8. Maintain an inventory of all IoT devices and regularly assess their security posture to identify and mitigate similar vulnerabilities proactively.