Description
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests.
Published: 2026-06-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists because the Android Companion App for Setracker2 generates a request signature using MD5, a deprecated cryptographic hash function. Attackers can reverse the signature to recover the session ID, enabling them to authenticate as the legitimate user. With adversary can issue arbitrary API requests, potentially compromising personal data and controlling child device functions.

Affected Systems

This weakness affects the Setracker2 Parental Control App (Android) with package name com.tgelec.setracker, versions 3.1.5 and earlier, sold by Shenzhen i365-Tech Co. Ltd.

Risk and Exploitability

The CVSS score of 8.7 indicates a high-severity flaw. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the attack vector is inferred to be remote, leveraging network communication to the backend REST API. An attacker who can observe or inject traffic can exploit the weakness without needing privileged local access.

Generated by OpenCVE AI on June 26, 2026 at 00:50 UTC.

Remediation

Vendor Workaround

The vendor was unresponsive in CISA's attempts to contact for coordination. No known remediations are available. Affected users are encouraged to contact the vendor or their local supplier.

OpenCVE Recommended Actions

  • Seek and install any available app update that replaces MD5 with a secure hash algorithm; apply an official patch if released.
  • In the absence of an update, uninstall or disable the Setracker2 app to remove the exploit surface.
  • Contact Shenzhen i365‑Tech or the device’s local supplier to request a remediation plan and report the vulnerability to CISA or other relevant authorities.
  • As a temporary countermeasure, block outbound traffic to the Setracker2 backend API endpoints using a network firewall or mobile data restrictions to prevent unauthorized API calls.

Generated by OpenCVE AI on June 26, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen I365-tech
Shenzhen I365-tech setracker2 Parental Control App (android) Package Com.tgelec.setracker
Vendors & Products Shenzhen I365-tech
Shenzhen I365-tech setracker2 Parental Control App (android) Package Com.tgelec.setracker

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests.
Title Setracker2 Children's Smartwatch Ecosystem Use of a Broken or Risky Cryptographic Algorithm
Weaknesses CWE-327
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Shenzhen I365-tech Setracker2 Parental Control App (android) Package Com.tgelec.setracker
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-26T12:31:29.011Z

Reserved: 2026-05-21T17:34:15.214Z

Link: CVE-2026-9221

cve-icon Vulnrichment

Updated: 2026-06-26T12:31:25.387Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:01Z

Weaknesses
  • CWE-327

    Use of a Broken or Risky Cryptographic Algorithm