HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-9222Published Modified CNA icscert

CVE-2026-9222: Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for authentication

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in the Setracker2 Android companion app (com.tgelec.setracker version 3.1.5 and prior), part of the children's smartwatch ecosystem made by Shenzhen i365-Tech. The app authenticates to its backend services by sending only a password hash rather than a real password, meaning anyone who obtains the hash can log in without knowing the original password. Successful exploitation gives an attacker full authenticated access to the account, exposing children's location data and the ability to tamper with device settings. HarborGuard tracks this advisory for patch availability, as no fix version has been published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-9222 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including ICS-CERT advisories, within minutes of publication and matched against customer images and pipeline artifacts, including custom-built Android app container images that bundle com.tgelec.setracker at an affected version.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.2 (Critical, v4.0) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on asset ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published for CVE-2026-9222, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version appears upstream. In the meantime, compensating controls such as network-policy isolation for services that consume Setracker2 backend credentials are available for configuration through HarborGuard's policy engine.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Setracker2 backend service over the network; the vulnerable authentication endpoint is exposed to internet-accessible infrastructure.

  • AuthenticationNot required

    No valid password is required; possession of the victim account's password hash is sufficient to authenticate, and no privileged account is needed to begin the attack.

  • Victim interactionNot required

    The attacker operates entirely against the backend API without requiring any action from the account owner or child device user.

  • Attack complexityDetail

    Base exploit logic is condition-free and reliable, though the attacker requires a precondition of obtaining the target account's password hash (noted as AT:P in the vector), such as through a prior data leak or interception.

Blast Radius

  • Reads the tracked GPS location history and real-time location of the child wearing the associated smartwatch.
  • Reads account credentials, profile data, and any stored personal information tied to the parent and child accounts.
  • Modifies device settings on the paired smartwatch, including geofence boundaries, contact lists, and SOS configuration.
  • Disrupts the monitoring service by locking out the legitimate account holder or altering alert rules.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-9222 is monitored on every ingest cycle against the ICS-CERT advisory feed. Because no upstream fix has been published, HarborGuard cannot yet offer a patched-image rebuild, but the advisory status is re-evaluated continuously and a rebuild will become available automatically when Shenzhen i365-Tech releases a remediated version of com.tgelec.setracker. While waiting for a patch, customers can use HarborGuard's policy engine to flag any image bundling affected versions of this package as non-compliant and block promotion through CI/CD pipelines. Recommended compensating controls include network-policy isolation to restrict which services can communicate with Setracker2 backend endpoints, egress filtering to limit outbound connections from app containers to known-good API hosts, and audit logging of authentication events against the backend to detect unexpected login sources. For customers who opt into auto-remediation, the rebuilt image, regression test run, and PR against affected workloads will be triggered automatically once an upstream fix is available.

See how HarborGuard automates this
Affected packages
  • Shenzhen i365-Tech Co. Ltd. / Setracker2 Parental Control App (Android) package com.tgelec.setracker
    ≤ 3.1.5
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References