CVE-2026-9219 | Setracker2 Android Companion App com.tgelec.setracker versio… | CVSS 6.5 MEDIUM

Description

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. If an attacker is able to obtain the registration ID, they would be able to arbitrarily enroll watches belonging to other users.

Metadata

CVE ID: CVE-2026-9219
State: PUBLISHED
Assigner: icscert
Reserved: 2026-05-21 17:34 UTC
Published: 2026-06-25 23:10 UTC
Last updated: 2026-06-25 23:10 UTC
Primary CWE: CWE-340
CWE-340 Generation of Predictable Numbers or Identifiers
Vendor / Product: Shenzhen i365-Tech Co. Ltd. / Setracker2 Parental Control App (Android) package com.tgelec.setracker
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Shenzhen i365-Tech Co. Ltd.	Setracker2 Parental Control App (Android) package com.tgelec.setracker	—	0 ≤ 3.1.5

Weakness (CWE)

CWE	Source	Description
CWE-340	cna	CWE-340 Generation of Predictable Numbers or Identifiers

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.3	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

References (1)

https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json