CVE-2026-9221: CWE-327 Use of a Broken or Risky Cryptographic Algorithm in Shenzhen i365-Tech Co. Ltd. Setracker2 Parental Control App (Android) package com.tgelec.setracker
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier use the MD5 cryptographic algorithm to generate request signatures for authenticating communications with the backend REST API. This use of MD5, a broken and risky algorithm, allows attackers to potentially reverse the signature and recover the session ID. With the session ID exposed, attackers could impersonate legitimate users and issue authenticated API requests. The vulnerability has a high severity with a CVSS score of 8.7. No patch or official remediation has been confirmed at this time.
AI Analysis
Technical Summary
CVE-2026-9221 identifies a cryptographic weakness in the Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier, where MD5 is used to generate request signatures for authenticating client-server communications. MD5 is considered broken and vulnerable to collision and preimage attacks, enabling attackers to reverse the signature and recover session IDs. This exposure allows attackers to impersonate users and perform authenticated API requests without authorization. The vulnerability is rated high severity (CVSS 8.7) and no official fix or patch has been documented in the vendor advisory or other sources.
Potential Impact
Attackers can exploit the weak MD5-based signature mechanism to recover session IDs, enabling user impersonation and unauthorized authenticated API requests. This compromises the confidentiality and integrity of user sessions and potentially allows unauthorized access to user data or control over the parental control app functions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users and administrators should be cautious about using affected versions and monitor for vendor updates. No official remediation or temporary fix has been documented.
CVE-2026-9221: CWE-327 Use of a Broken or Risky Cryptographic Algorithm in Shenzhen i365-Tech Co. Ltd. Setracker2 Parental Control App (Android) package com.tgelec.setracker
Description
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier use the MD5 cryptographic algorithm to generate request signatures for authenticating communications with the backend REST API. This use of MD5, a broken and risky algorithm, allows attackers to potentially reverse the signature and recover the session ID. With the session ID exposed, attackers could impersonate legitimate users and issue authenticated API requests. The vulnerability has a high severity with a CVSS score of 8.7. No patch or official remediation has been confirmed at this time.
CVSS v4.0
Score 8.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9221 identifies a cryptographic weakness in the Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier, where MD5 is used to generate request signatures for authenticating client-server communications. MD5 is considered broken and vulnerable to collision and preimage attacks, enabling attackers to reverse the signature and recover session IDs. This exposure allows attackers to impersonate users and perform authenticated API requests without authorization. The vulnerability is rated high severity (CVSS 8.7) and no official fix or patch has been documented in the vendor advisory or other sources.
Potential Impact
Attackers can exploit the weak MD5-based signature mechanism to recover session IDs, enabling user impersonation and unauthorized authenticated API requests. This compromises the confidentiality and integrity of user sessions and potentially allows unauthorized access to user data or control over the parental control app functions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users and administrators should be cautious about using affected versions and monitor for vendor updates. No official remediation or temporary fix has been documented.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- icscert
- Date Reserved
- 2026-05-21T17:34:15.214Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3dbdc04853345fc1a94840
Added to database: 06/25/2026, 23:46:08 UTC
Last enriched: 06/26/2026, 00:00:59 UTC
Last updated: 06/26/2026, 00:48:37 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.