Setracker2 Children’s Smartwatch Ecosystem Use of hard-coded cryptographic key

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.

AI Analysis

Use of hard-coded cryptographic key in Setracker2 Android Companion App allows an attacker to decrypt watch traffic

Basic Information

ID CVE-2026-9220

Source icscert

Published Jun 25, 2026 at 23:13

Affected Product

Vendor Shenzhen i365-Tech Co. Ltd.

Product Setracker2 Parental Control App (Android) package com.tgelec.setracker

Version 3.1.5

Affected Versions Shenzhen i365-Tech Co. Ltd. Setracker2 Parental Control App (Android) package com.tgelec.setracker 0

CWE Classification

CWE-321

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Shenzhen i365-Tech Co. Ltd.

Product Setracker2 Parental Control App

Version 3.1.5 and prior

References

raw.githubusercontent.com /cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json

{
    "lastseen": "",
    "description": "Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.",
    "published": "2026-06-25T23:13:41.275Z",
    "modified": "2026-06-25T23:13:41.275Z",
    "type": "cve",
    "title": "Setracker2 Children's Smartwatch Ecosystem Use of hard-coded cryptographic key",
    "source": "icscert",
    "references": "https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json",
    "id": "CVE-2026-9220",
    "bulletinFamily": "",
    "cwe": [
        "CWE-321"
    ],
    "cvelist": null,
    "sourceData": "Shenzhen i365-Tech Co. Ltd. Setracker2 Parental Control App (Android) package com.tgelec.setracker 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Setracker2 Parental Control App (Android) package com.tgelec.setracker",
    "version": "3.1.5",
    "vendor": "Shenzhen i365-Tech Co. Ltd.",
    "ai_description": "Use of hard-coded cryptographic key in Setracker2 Android Companion App allows an attacker to decrypt watch traffic",
    "ai_severity": "High",
    "ai_vendor": "Shenzhen i365-Tech Co. Ltd.",
    "ai_product": "Setracker2 Parental Control App",
    "ai_version": "3.1.5 and prior",
    "ai_score": 8.7
}

Setracker2 Children’s Smartwatch Ecosystem Use of hard-coded cryptographic key_CVE-2026-9220