Skip to main content

Setracker2 CVE-2026-9220

| EUVDEUVD-2026-39592 HIGH
Use of Hard-coded Cryptographic Key (CWE-321)
2026-06-26 ics-cert@hq.dhs.gov GHSA-9ppg-rg73-3244
8.7
CVSS 4.0 · Vendor: hq
Share

Severity by source

Vendor (hq) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

AV:N and PR:N/UI:N since keys come from the public APK with no auth, but AC:H because the attacker must first be positioned to intercept traffic; confidentiality-only (C:H, I/A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (hq).

CVSS VectorVendor: hq

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 26, 2026 - 00:31 vuln.today
CVE Published
Jun 26, 2026 - 00:16 cve.org
HIGH 8.7

DescriptionCVE.org

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.

AnalysisAI

Cleartext recovery of Setracker2 GPS-watch traffic is possible because the com.tgelec.setracker Android companion app (versions 3.1.5 and prior) protects watch-to-backend requests with static, hardcoded AES keys and initialization vectors. Any attacker who can observe the encrypted traffic - or who extracts the keys from the freely distributed APK - can decrypt communications between the wearable tracker and its cloud backend, exposing location and account data of the (frequently child) wearers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Download Setracker2 APK
Delivery
Reverse-engineer to extract static AES key/IV
Exploit
Intercept watch-to-backend traffic
Execution
Decrypt captured payloads
Impact
Disclose wearer location and account data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to (1) obtain the static AES key and IV, which is trivial because they are embedded in the publicly downloadable com.tgelec.setracker APK, and (2) be positioned to capture the encrypted watch-to-backend traffic via passive sniffing or man-in-the-middle interception. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (8.7) reads AV:N/AC:L/PR:N/UI:N with VC:H and VI:N/VA:N - a confidentiality-only impact reachable over the network with no privileges or user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker extracts the hardcoded AES key and IV from a copy of the Setracker2 APK pulled from the Play Store, then passively captures or intercepts traffic between a target's watch app and the backend (e.g., on a shared Wi-Fi network or via an upstream position). Using the recovered static key, the attacker decrypts the request payloads and reads the watch wearer's location and account information. …
Remediation No vendor-released patch version is identified in the available data, so a specific fixed release cannot be cited; consult the CISA advisory VA-26-176-01 (https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json) for any vendor update once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all deployed Setracker2 instances and affected user populations; assess whether location data is classified as sensitive personal information under your data protection policies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9220 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy