Setracker2’s that are deterministic and directly derived from a device’s IMEI. Because the enrollment process does not enforce any additional authentication, a malicious actor who learns or guesses one of these predictable identifiers can enroll any other child’s smartwatch in the system. The attacker would then possess the same administrative capabilities as the legitimate owner, enabling remote monitoring, data extraction, or other privileged operations. This flaw therefore allows arbitrary device enrollment and potential control over a child’s wearable without requiring the user’s consent.

The vulnerability affects Shenzhen i365‑Tech’s Setracker2 Parental Control Application for Android (package com.tgelec.setracker). Versions 3.1.5 and earlier are impacted. The affected ecosystem comprises children’s smartwatches that rely on the companion app to register and link to the parent’s account.

With a CV the flaw is considered high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no documented public exploitation yet. Nevertheless the predictability of the registration identifier makes exploitation straightforward for any adversary who can obtain the IMEI of a target read the target’s IMEI – for example through a personal interface or via a compromised phone – can craft the enrollment payload and gain control of the smartwatch. Without a vendor patch, the risk remains elevated until a corrected registration mechanism or additional authentication is introduced.