CVE-2026-9219: CWE-340 Generation of Predictable Numbers or Identifiers in Shenzhen i365-Tech Co. Ltd. Setracker2 Parental Control App (Android) package com.tgelec.setracker
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier have a vulnerability where the registration ID is predictably generated from the device IMEI. The enrollment system does not require additional authentication before assigning this ID. An attacker who obtains a registration ID could enroll watches belonging to other users without authorization.
AI Analysis
Technical Summary
CVE-2026-9219 describes a vulnerability in the Setracker2 Parental Control App for Android (package com.tgelec.setracker) where the registration ID is derived predictably from the IMEI number. Because the enrollment system lacks further authentication checks, an attacker with knowledge of a registration ID can enroll devices (watches) belonging to other users arbitrarily. This vulnerability is categorized under CWE-340 (Generation of Predictable Numbers or Identifiers). The CVSS 4.0 base score is 8.3, indicating high severity, with network attack vector, low attack complexity, and no privileges or user interaction required. The vulnerability was published on June 25, 2026. No patch or official remediation guidance is currently available, and no known exploits are reported in the wild.
Potential Impact
An attacker who obtains a predictable registration ID can enroll watches belonging to other users without authorization, potentially leading to unauthorized access or control over those devices. This compromises user privacy and device security. The vulnerability allows remote exploitation without requiring privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users and administrators should be cautious about sharing registration IDs and monitor for suspicious enrollments. Additional authentication mechanisms should be implemented by the vendor to prevent unauthorized enrollment.
CVE-2026-9219: CWE-340 Generation of Predictable Numbers or Identifiers in Shenzhen i365-Tech Co. Ltd. Setracker2 Parental Control App (Android) package com.tgelec.setracker
Description
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier have a vulnerability where the registration ID is predictably generated from the device IMEI. The enrollment system does not require additional authentication before assigning this ID. An attacker who obtains a registration ID could enroll watches belonging to other users without authorization.
CVSS v4.0
Score 8.3high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9219 describes a vulnerability in the Setracker2 Parental Control App for Android (package com.tgelec.setracker) where the registration ID is derived predictably from the IMEI number. Because the enrollment system lacks further authentication checks, an attacker with knowledge of a registration ID can enroll devices (watches) belonging to other users arbitrarily. This vulnerability is categorized under CWE-340 (Generation of Predictable Numbers or Identifiers). The CVSS 4.0 base score is 8.3, indicating high severity, with network attack vector, low attack complexity, and no privileges or user interaction required. The vulnerability was published on June 25, 2026. No patch or official remediation guidance is currently available, and no known exploits are reported in the wild.
Potential Impact
An attacker who obtains a predictable registration ID can enroll watches belonging to other users without authorization, potentially leading to unauthorized access or control over those devices. This compromises user privacy and device security. The vulnerability allows remote exploitation without requiring privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users and administrators should be cautious about sharing registration IDs and monitor for suspicious enrollments. Additional authentication mechanisms should be implemented by the vendor to prevent unauthorized enrollment.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- icscert
- Date Reserved
- 2026-05-21T17:34:13.252Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3dbdc04853345fc1a9483a
Added to database: 06/25/2026, 23:46:08 UTC
Last enriched: 06/26/2026, 00:01:22 UTC
Last updated: 06/26/2026, 00:01:22 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.