CVE-2026-9219

MEDIUM 6.5

Setracker2 Children's Smartwatch Ecosystem Generation of Predictable Numbers or Identifiers

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. If an attacker is able to obtain the registration ID, they would be able to arbitrarily enroll watches belonging to other users.

CWE	CWE-340
Vendor	shenzhen i365-tech co. ltd.
Product	setracker2 parental control app (android) package com.tgelec.setracker
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for shenzhen i365-tech co. ltd. setracker2 parental control app (android) package com.tgelec.setracker

Be the first to know when new medium vulnerabilities affecting shenzhen i365-tech co. ltd. setracker2 parental control app (android) package com.tgelec.setracker are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

Shenzhen i365-Tech Co. Ltd. / Setracker2 Parental Control App (Android) package com.tgelec.setracker

0 ≤ 3.1.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json

Credits

Huancheng Hu of Hasso Plattner Institute reported these vulnerabilities to CISA, with support from Prof. Christian Doerr.