Skip to main content

Setracker2 CVE-2026-9222

| EUVDEUVD-2026-39598 CRITICAL
Use of Password Hash Instead of Password for Authentication (CWE-836)
2026-06-26 ics-cert@hq.dhs.gov GHSA-f7c5-2gv6-7rwj
9.2
CVSS 4.0 · Vendor: hq
Share

Severity by source

Vendor (hq) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable backend auth (AV:N) with no privileges or interaction, but AC:H because the attacker must first obtain the victim's password hash; full account compromise yields C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hq).

CVSS VectorVendor: hq

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 26, 2026 - 00:33 vuln.today
CVE Published
Jun 26, 2026 - 00:16 cve.org
CRITICAL 9.2

DescriptionCVE.org

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.

AnalysisAI

Authentication bypass in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets an attacker who possesses a user's stored password hash authenticate directly to the backend and gain full account access. Because the backend treats the password hash itself as the secret credential, the hash is password-equivalent and does not need to be cracked back to plaintext. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain victim password hash from leak/backup/capture
Delivery
Replay hash to Setracker2 backend auth API
Exploit
Backend accepts hash as credential
Execution
Authenticate as victim
Impact
Gain full account and device-location access

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already know or possess the target account's password hash - the description states authentication only requires the hash, and the CVSS 4.0 AT:P flag confirms this prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be read carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains a victim's stored Setracker2 password hash - for example from a leaked backend database, a device/app backup, or captured client traffic - and replays that hash directly to the backend authentication endpoint. Since the backend accepts the hash as the credential, the attacker logs in as the victim and gains full account access, including the ability to view the tracked device's location. …
Remediation No vendor-released patch identified at time of analysis; no fixed version was supplied in the input data, so do not assume an upgrade target - consult the CISA advisory VA-26-176-01 (https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json) and TGELEC for a corrected build before relying on one. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all deployed Setracker2 instances (com.tgelec.setracker v3.1.5 and below) and assess whether password hashes may have been exposed through prior breaches or unauthorized access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9222 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy