Skip to main content

Setracker2 App EUVDEUVD-2026-39597

| CVE-2026-9221 HIGH
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-06-26 ics-cert@hq.dhs.gov GHSA-cfh3-g8cw-7pfq
8.7
CVSS 4.0 · Vendor: hq
Share

Severity by source

Vendor (hq) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable and unauthenticated (AV:N/PR:N), but requires capturing signed traffic and reversing an MD5 digest (AC:H); session-ID disclosure gives C:H and replayed authenticated calls a limited integrity impact (I:L).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (hq).

CVSS VectorVendor: hq

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 26, 2026 - 00:31 vuln.today
CVE Published
Jun 26, 2026 - 00:16 cve.org
HIGH 8.7

DescriptionCVE.org

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests.

AnalysisAI

Session hijacking in the Setracker2 Android companion app (com.tgelec.setracker) version 3.1.5 and earlier stems from the use of MD5 to generate the request signature that authenticates traffic between the mobile client and the backend REST API. Because MD5 is cryptographically broken, an attacker who can observe a signed request may reverse the signature to recover the embedded session ID and then impersonate the legitimate user, issuing authenticated API calls against the kids'/GPS-tracker backend. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Intercept signed app-to-API request
Delivery
Reverse MD5 signature offline
Exploit
Recover embedded session ID
Execution
Replay authenticated API calls
Impact
Impersonate user and access tracker data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to obtain a signed client request and then reverse its MD5-based signature to recover the session ID - so the concrete prerequisite is access to the signed API traffic (network observation/interception of com.tgelec.setracker communications) rather than any special victim configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially conflicting and should be weighed rather than taken at face value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned to observe the victim's app-to-API traffic (e.g., on a shared or hostile Wi-Fi network, or via a network MitM position) captures a signed REST request from the Setracker2 client. They reverse the MD5-based signature to recover the embedded session ID, then replay authenticated API calls as the victim to read the tracked device's data and issue commands. …
Remediation No vendor-released patch version is identified at time of analysis; the source data lists no fixed app build, so monitor the CISA CSAF advisory va-26-176-01 (https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json) and the Google Play listing for com.tgelec.setracker for an update beyond 3.1.5 and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all deployed Setracker2 instances running versions ≤3.1.5 and quantify affected users; activate incident response protocols and begin customer notification drafts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39597 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy