CVE-2026-9220

HIGH 7.5

Setracker2 Children's Smartwatch Ecosystem Use of hard-coded cryptographic key

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.

CWE	CWE-321
Vendor	shenzhen i365-tech co. ltd.
Product	setracker2 parental control app (android) package com.tgelec.setracker
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for shenzhen i365-tech co. ltd. setracker2 parental control app (android) package com.tgelec.setracker

Be the first to know when new high vulnerabilities affecting shenzhen i365-tech co. ltd. setracker2 parental control app (android) package com.tgelec.setracker are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Shenzhen i365-Tech Co. Ltd. / Setracker2 Parental Control App (Android) package com.tgelec.setracker

0 ≤ 3.1.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json

Credits

Huancheng Hu of Hasso Plattner Institute reported these vulnerabilities to CISA, with support from Prof. Christian Doerr.