CVE-2026-9222
Deferred Deferred - Pending Action

Authentication Bypass via Password Hash in Setracker2 Android App

Vulnerability report for CVE-2026-9222, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: ICS-CERT

Description

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-27
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tgelec setracker2 to 3.1.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-836 The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The CVE description does not provide specific mitigation steps or immediate actions to take for this vulnerability.

Since the vulnerability allows an attacker who knows the password hash to authenticate and gain full access, it is advisable to limit exposure by restricting network access to the backend services and monitoring for unauthorized access attempts.

Executive Summary

The vulnerability exists in the Setracker2 Android Companion App versions 3.1.5 and prior. The app only requires the password hash for authentication with backend services. This means that if an attacker knows the password hash, they can authenticate as a legitimate user and gain full access to the system.

Impact Analysis

This vulnerability can allow an attacker to bypass normal authentication controls by using a known password hash. As a result, the attacker can gain full access to the backend services, potentially leading to unauthorized data access, data manipulation, or other malicious activities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart