CVE-2026-9220
Received Received - Intake
Hardcoded AES Keys in Setracker2 Android App

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: ICS-CERT

Description
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-9220
EUVD
EUVD-2026-39592
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tgelec setracker2 to 3.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Setracker2 Android Companion App versions 3.1.5 and earlier use static hardcoded AES encryption keys and initialization vectors to encrypt communication between the watch and its backend server.

Because these keys and vectors are hardcoded and static, an attacker can obtain them and decrypt the traffic sent from the Setracker2 watch, compromising the confidentiality of the data.

Impact Analysis

This vulnerability allows an attacker to decrypt the data transmitted between the Setracker2 watch and its backend server.

As a result, sensitive information sent by the watch could be exposed, leading to potential privacy breaches or unauthorized access to user data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9220. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart