{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-9219: Setracker2 Children's Smartwatch Ecosystem Generation of Predictable Numbers or Identifiers","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-9219","status":"final","version":"1","initial_release_date":"2026-06-25T23:10:19.862Z","current_release_date":"2026-06-25T23:10:19.862Z","revision_history":[{"date":"2026-06-25T23:10:19.862Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. If an attacker is able to obtain the registration ID, they would be able to arbitrarily enroll watches belonging to other users.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-9219 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-9219"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-9219"},{"category":"external","summary":"raw.githubusercontent.com","url":"https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json"}]},"product_tree":{"branches":[{"category":"vendor","name":"Shenzhen i365-Tech Co. Ltd.","branches":[{"category":"product_name","name":"Setracker2 Parental Control App (Android) package com.tgelec.setracker","branches":[{"category":"product_version_range","name":"<=3.1.5","product":{"name":"Shenzhen i365-Tech Co. Ltd. Setracker2 Parental Control App (Android) package com.tgelec.setracker <=3.1.5","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:shenzhen_i365-tech_co._ltd.:setracker2_parental_control_app_\\(android\\)_package_com.tgelec.setracker:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-9219","title":"Setracker2 Children's Smartwatch Ecosystem Generation of Predictable Numbers or Identifiers","notes":[{"category":"description","text":"Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. If an attacker is able to obtain the registration ID, they would be able to arbitrarily enroll watches belonging to other users.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N","baseScore":8.3,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}