Description
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.
Published: 2026-06-25
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Setracker2 Android Companion App arises from the use of static hard‑coded AES keys and initialization vectors to encrypt communication between the child’s smartwatch and its backend. Because the keys never change, any party that can observe the network traffic can easily decrypt the data, leaking sensitive personal information such as location, communications, or device telemetry. This weakness allows an attacker to read confidential data that is intended to be protected, potentially enabling further exploitation.

Affected Systems

Shenzhen i365‑Tech Co. Ltd. produces the Setracker2 Parental Control App for Android, package name com.tgelec.setracker. Versions 3.1.5 and earlier are affected. The vulnerability lies in the communication layer, so any device or user running these app releases on Android with a compatible smartwatch is potentially exposed.

Risk and Exploitability

The CVSS score of 8.7 reflects a high severity due to confidentiality impact and threat model. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be a network‑based threat, as an attacker can intercept traffic between the watch and the cloud, and the public nature of the static key removes the need for local privileges. Consequently, the exposure can be achieved without special privileges, making it attractive to attackers who can sniff the traffic.

Generated by OpenCVE AI on June 26, 2026 at 00:22 UTC.

Remediation

Vendor Workaround

The vendor was unresponsive in CISA's attempts to contact for coordination. No known remediations are available. Affected users are encouraged to contact the vendor or their local supplier.

OpenCVE Recommended Actions

  • Promptly contact Shenzhen i365‑Tech Co. Ltd. to request a security fix or guidance.
  • Remove or refrain from installing the affected Setracker2 app version on any device that may be connected to a child’s smartwatch.
  • Restrict network access for the app or block its traffic using a firewall or network monitoring device to reduce the chance of an attacker capturing the data.
  • Regularly monitor network traffic or device logs for abnormal data transmissions that could indicate sensitive information being leaked.

Generated by OpenCVE AI on June 26, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.
Title Setracker2 Children's Smartwatch Ecosystem Use of hard-coded cryptographic key
Weaknesses CWE-321
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-25T23:13:41.275Z

Reserved: 2026-05-21T17:34:14.249Z

Link: CVE-2026-9220

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T00:30:17Z

Weaknesses
  • CWE-321

    Use of Hard-coded Cryptographic Key