Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and unauthenticated (AV:N/PR:N), but requires capturing signed traffic and reversing an MD5 digest (AC:H); session-ID disclosure gives C:H and replayed authenticated calls a limited integrity impact (I:L).
Primary rating from Vendor (hq).
CVSS VectorVendor: hq
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests.
AnalysisAI
Session hijacking in the Setracker2 Android companion app (com.tgelec.setracker) version 3.1.5 and earlier stems from the use of MD5 to generate the request signature that authenticates traffic between the mobile client and the backend REST API. Because MD5 is cryptographically broken, an attacker who can observe a signed request may reverse the signature to recover the embedded session ID and then impersonate the legitimate user, issuing authenticated API calls against the kids'/GPS-tracker backend. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to obtain a signed client request and then reverse its MD5-based signature to recover the session ID - so the concrete prerequisite is access to the signed API traffic (network observation/interception of com.tgelec.setracker communications) rather than any special victim configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are partially conflicting and should be weighed rather than taken at face value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned to observe the victim's app-to-API traffic (e.g., on a shared or hostile Wi-Fi network, or via a network MitM position) captures a signed REST request from the Setracker2 client. They reverse the MD5-based signature to recover the embedded session ID, then replay authenticated API calls as the victim to read the tracked device's data and issue commands. … |
| Remediation | No vendor-released patch version is identified at time of analysis; the source data lists no fixed app build, so monitor the CISA CSAF advisory va-26-176-01 (https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json) and the Google Play listing for com.tgelec.setracker for an update beyond 3.1.5 and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all deployed Setracker2 instances running versions ≤3.1.5 and quantify affected users; activate incident response protocols and begin customer notification drafts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39597
GHSA-cfh3-g8cw-7pfq