Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N and PR:N/UI:N since keys come from the public APK with no auth, but AC:H because the attacker must first be positioned to intercept traffic; confidentiality-only (C:H, I/A:N).
Primary rating from Vendor (hq).
CVSS VectorVendor: hq
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.
AnalysisAI
Cleartext recovery of Setracker2 GPS-watch traffic is possible because the com.tgelec.setracker Android companion app (versions 3.1.5 and prior) protects watch-to-backend requests with static, hardcoded AES keys and initialization vectors. Any attacker who can observe the encrypted traffic - or who extracts the keys from the freely distributed APK - can decrypt communications between the wearable tracker and its cloud backend, exposing location and account data of the (frequently child) wearers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to (1) obtain the static AES key and IV, which is trivial because they are embedded in the publicly downloadable com.tgelec.setracker APK, and (2) be positioned to capture the encrypted watch-to-backend traffic via passive sniffing or man-in-the-middle interception. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (8.7) reads AV:N/AC:L/PR:N/UI:N with VC:H and VI:N/VA:N - a confidentiality-only impact reachable over the network with no privileges or user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker extracts the hardcoded AES key and IV from a copy of the Setracker2 APK pulled from the Play Store, then passively captures or intercepts traffic between a target's watch app and the backend (e.g., on a shared Wi-Fi network or via an upstream position). Using the recovered static key, the attacker decrypts the request payloads and reads the watch wearer's location and account information. … |
| Remediation | No vendor-released patch version is identified in the available data, so a specific fixed release cannot be cited; consult the CISA advisory VA-26-176-01 (https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json) for any vendor update once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all deployed Setracker2 instances and affected user populations; assess whether location data is classified as sensitive personal information under your data protection policies. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39592
GHSA-9ppg-rg73-3244