Description
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.
Published: 2026-06-25
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Setracker2 Android Companion App, versions 3.1.5 and prior, accepts a password hash instead of an actual password when authenticating with backend services. If an attacker learns this hash, they can authenticate as any user and gain full access to the application’s functionalities and the device it controls. This flaw allows unauthorized control over a smartwatch and the data it manages, which could expose personal information and allow manipulation of the device’s parental controls.

Affected Systems

Shenzhen i365-Tech Co. Ltd.’s Setracker2 Parental Control App for Android (package com.tgelec.setracker). Affected versions are 3.1.5 and all earlier releases.

Risk and Exploitability

The CVSS score of 9.2 indicates high severity. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector requires an attacker to obtain the password hash, for example by reverse‑engineering the app or intercepting network traffic. Once the hash is known, authentication succeeds without the actual password, giving full account privileges. The risk is therefore significant, but exploitation depends on the attacker’s ability to acquire the hash.

Generated by OpenCVE AI on June 26, 2026 at 00:20 UTC.

Remediation

Vendor Workaround

The vendor was unresponsive in CISA's attempts to contact for coordination. No known remediations are available. Affected users are encouraged to contact the vendor or their local supplier.

OpenCVE Recommended Actions

  • Uninstall or disable the vulnerable Setracker2 Parental Control App until a vendor fix is provided.
  • Replace the app with a trusted alternative that enforces proper password handling.
  • Contact Shenzhen i365‑Tech or local supplier for updates or a remediation plan.

Generated by OpenCVE AI on June 26, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen I365
Shenzhen I365 setracker2 Parental Control App (android) Package Com.tgelec.setracker
Vendors & Products Shenzhen I365
Shenzhen I365 setracker2 Parental Control App (android) Package Com.tgelec.setracker

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.
Title Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for authentication
Weaknesses CWE-836
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Shenzhen I365 Setracker2 Parental Control App (android) Package Com.tgelec.setracker
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-26T12:30:58.329Z

Reserved: 2026-05-21T17:34:16.235Z

Link: CVE-2026-9222

cve-icon Vulnrichment

Updated: 2026-06-26T12:30:53.919Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:35:59Z

Weaknesses
  • CWE-836

    Use of Password Hash Instead of Password for Authentication