CVE-2026-9219
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and prior generate a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment, allowing an attacker who obtains the registration ID to arbitrarily enroll watches belonging to other users.
Risk Assessment
The risk involves potential takeover of other users' devices (watches), leading to privacy breaches, location tracking, or impersonation of the victim.
Recommendation
Immediately update the Setracker2 app to the latest available version that fixes this vulnerability. If no update is available, consider temporarily discontinuing use of the app until a patch is released.
Original NVD description (English source)
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. If an attacker is able to obtain the registration ID, they would be able to arbitrarily enroll watches belonging to other users.

