{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-9220: Setracker2 Children's Smartwatch Ecosystem Use of hard-coded cryptographic key","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-9220","status":"final","version":"1","initial_release_date":"2026-06-25T23:13:41.275Z","current_release_date":"2026-06-25T23:13:41.275Z","revision_history":[{"date":"2026-06-25T23:13:41.275Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-9220 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-9220"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-9220"},{"category":"external","summary":"raw.githubusercontent.com","url":"https://raw.githubusercontent.com/cisagov/CSAF/refs/heads/develop/csaf_files/VA/white/2026/va-26-176-01.json"}]},"product_tree":{"branches":[{"category":"vendor","name":"Shenzhen i365-Tech Co. Ltd.","branches":[{"category":"product_name","name":"Setracker2 Parental Control App (Android) package com.tgelec.setracker","branches":[{"category":"product_version_range","name":"<=3.1.5","product":{"name":"Shenzhen i365-Tech Co. Ltd. Setracker2 Parental Control App (Android) package com.tgelec.setracker <=3.1.5","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:shenzhen_i365-tech_co._ltd.:setracker2_parental_control_app_\\(android\\)_package_com.tgelec.setracker:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-9220","title":"Setracker2 Children's Smartwatch Ecosystem Use of hard-coded cryptographic key","notes":[{"category":"description","text":"Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","baseScore":8.7,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}