CVE-2026-0842 identifies a security vulnerability in Flycatcher Toys smART Sketcher up to version 2.0, specifically within its Bluetooth Low Energy (BLE) interface component. The flaw results in missing authentication controls, allowing an attacker on the same local network to interact with the device without any authentication or user interaction. This could enable unauthorized manipulation of the device’s functions or data, potentially compromising the device’s integrity and confidentiality. The attack vector is local network access, meaning remote exploitation over the internet is not feasible without prior network access. The CVSS 4.0 base score is 5.3, reflecting medium severity due to the ease of exploitation (no privileges or user interaction needed) but limited scope (local network only) and moderate impact on confidentiality, integrity, and availability. The vendor was notified early but has not issued any patch or response, and an exploit has been published publicly, increasing the risk of exploitation. The vulnerability affects version 2.0 of the smART Sketcher product, a Bluetooth-enabled toy device likely used in home or educational environments. The lack of authentication in the BLE interface is a critical design oversight, as BLE is commonly used for device control and data exchange. Attackers within Wi-Fi or Bluetooth range could exploit this to gain unauthorized control or access sensitive data. No known exploits in the wild have been reported yet, but the public availability of an exploit raises the likelihood of future attacks.

For European organizations, particularly those involved in education, childcare, or consumer electronics retail, this vulnerability poses a risk of unauthorized access to devices within local networks. Potential impacts include unauthorized control of the smART Sketcher device, manipulation of stored data or device behavior, and possible privacy breaches if sensitive information is accessible via the device. While the attack requires local network access, compromised or poorly secured Wi-Fi networks in homes, schools, or offices could facilitate exploitation. This could lead to reputational damage, loss of consumer trust, and potential regulatory scrutiny under GDPR if personal data is involved. The medium severity score reflects moderate risk, but the lack of vendor response and patch availability increases exposure. Organizations relying on these devices should consider the risk of lateral movement within local networks and the potential for attackers to leverage this vulnerability as a foothold for broader network compromise.

1. Network Segmentation: Isolate IoT and toy devices like the smART Sketcher on separate VLANs or guest Wi-Fi networks to limit local network access. 2. Disable Bluetooth Low Energy: If BLE functionality is not required, disable it on the device or within the network environment to eliminate the attack vector. 3. Monitor Local Network Traffic: Deploy network monitoring tools to detect unusual BLE or device communication patterns indicative of exploitation attempts. 4. Access Controls: Implement strong Wi-Fi security (WPA3 where possible), and restrict physical and network access to trusted users only. 5. Vendor Engagement: Continue attempts to engage Flycatcher Toys for patch development or official guidance. 6. User Awareness: Educate users and caregivers about the risks of connecting such devices to insecure networks. 7. Incident Response Planning: Prepare for potential exploitation by establishing procedures for device isolation and forensic analysis. 8. Firmware Updates: Regularly check for any future firmware updates or security advisories from the vendor or third parties.