CVE-2026-9220 | Setracker2 Android Companion App com.tgelec.setracker versio… | CVSS 7.5 HIGH

Description

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.

Metadata

CVE ID: CVE-2026-9220
State: PUBLISHED
Assigner: icscert
Reserved: 2026-05-21 17:34 UTC
Published: 2026-06-25 23:13 UTC
Last updated: 2026-06-25 23:13 UTC
Primary CWE: CWE-321
CWE-321 Use of hard-coded cryptographic key
Vendor / Product: Shenzhen i365-Tech Co. Ltd. / Setracker2 Parental Control App (Android) package com.tgelec.setracker
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Shenzhen i365-Tech Co. Ltd.	Setracker2 Parental Control App (Android) package com.tgelec.setracker	—	0 ≤ 3.1.5

Weakness (CWE)

CWE	Source	Description
CWE-321	cna	CWE-321 Use of hard-coded cryptographic key

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (1)

https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json