CVE-2026-9220
Deferred Deferred - Pending Action

Hardcoded AES Keys in Setracker2 Android App

Vulnerability report for CVE-2026-9220, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: ICS-CERT

Description

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tgelec setracker2 to 3.1.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Setracker2 Android Companion App versions 3.1.5 and earlier use static hardcoded AES encryption keys and initialization vectors to encrypt communication between the watch and its backend server.

Because these keys and vectors are hardcoded and static, an attacker can obtain them and decrypt the traffic sent from the Setracker2 watch, compromising the confidentiality of the data.

Impact Analysis

This vulnerability allows an attacker to decrypt the data transmitted between the Setracker2 watch and its backend server.

As a result, sensitive information sent by the watch could be exposed, leading to potential privacy breaches or unauthorized access to user data.

Compliance Impact

The vulnerability in Setracker2 Android Companion App involves the use of static hardcoded AES keys and initialization vectors to encrypt requests between the watch and its backend, allowing attackers to decrypt watch traffic. This exposure of potentially sensitive user data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require adequate protection of personal and health information.

Specifically, the inability to properly secure data in transit may violate requirements for confidentiality and integrity of personal data under these standards, potentially resulting in unauthorized access to user information and consequent regulatory penalties.

Mitigation Strategies

The Setracker2 Android Companion App versions 3.1.5 and prior use static hardcoded AES keys and initialization vectors to encrypt requests, allowing attackers to decrypt watch traffic.

No specific remediations or fixes are mentioned in the provided information.

Affected users are advised to contact the vendor or their local supplier for further guidance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9220. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart