Notes on ThroughTek Kalay Vulnerabilities and Their Impact on the IoT Ecosystem

**Executive summary:** Bitdefender discloses four vulnerabilities (CVE-2023-6321 through CVE-2023-6324) in the ThroughTek Kalay IoT platform that—when chained—allow attackers to obtain root access and, following local network probing, execute code remotely on affected devices (notably Owlet Cam v1/v2, Wyze Cam v3, and Roku Indoor Camera SE); the report includes technical analyses, coordinated disclosure timelines, and links to vendor-specific whitepapers and CVE entries, and notes that patches have been issued.