Executive Summary

CVE-2026-9219 affects the Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier. The vulnerability involves a predictable registration ID that is derived from the device's IMEI number.

Because the enrollment system does not require additional authentication before assigning the registration ID, an attacker who obtains this predictable registration ID can arbitrarily enroll watches that belong to other users.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to enroll and potentially control watches belonging to other users without their permission.

Such unauthorized enrollment could lead to privacy violations, unauthorized access to user data, and misuse of the devices.

Since the vendor has been unresponsive and no known remediations are available, affected users are advised to contact the vendor or their local supplier for further guidance.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a predictable registration ID derived from the device's IMEI used by the Setracker2 Android Companion App. Detection would require monitoring for unusual or unauthorized enrollment attempts of watches using registration IDs that could be predicted or derived from IMEI values.

No specific detection commands or tools are provided in the available information.

Useful 0 Not Useful 0

Mitigation Strategies

Since the vendor has been unresponsive and no known remediations are available, affected users are advised to contact the vendor or their local supplier for further guidance.

Additionally, users should monitor for unauthorized enrollments and consider limiting exposure of IMEI information to reduce the risk of attackers obtaining predictable registration IDs.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the vulnerability in Setracker2 Android Companion App affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0