CVE-2026-9221 in Setracker2 Parental Control App package com.tgelec.setracker
Summary
by MITRE • 06/26/2026
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
The Setracker2 Android Companion App presents a critical security vulnerability through its reliance on MD5 hashing for request signature generation within its authentication mechanism. This flaw resides in the mobile application's communication protocol with the backend REST API, where MD5 is employed to create cryptographic signatures that validate client authenticity. The vulnerability affects versions 3.1.5 and earlier of the application, representing a fundamental weakness in the cryptographic implementation that undermines the entire security posture of the authentication system.
The technical flaw stems from MD5's inherent cryptographic weaknesses that have been well-documented since 2005, when collision attacks were first demonstrated by researchers like Xiaoyun Wang. This hash function is vulnerable to both collision and preimage attacks, making it unsuitable for security-sensitive applications. The application's implementation fails to apply proper cryptographic practices such as using salted hashes or stronger algorithms like SHA-256 or SHA-3. When attackers reverse the MD5 signature generation process, they can extract session identifiers that serve as the primary authentication token, effectively bypassing the app's security controls.
The operational impact of this vulnerability extends beyond simple unauthorized access, creating a comprehensive compromise scenario where attackers can fully impersonate legitimate users within the application ecosystem. Once an attacker obtains a valid session ID through signature reversal, they gain unrestricted access to all authenticated API endpoints that the compromised user could access. This includes potential data exfiltration, modification of user settings, creation of malicious entries, and unauthorized transactions depending on the application's functionality. The vulnerability enables persistent attacks where attackers can maintain long-term access without requiring repeated authentication attempts.
This security weakness directly correlates with CWE-327, which addresses the use of weak cryptographic algorithms, and aligns with ATT&CK technique T1566 for credential access through social engineering or exploitation of weak authentication mechanisms. The vulnerability also maps to the broader category of insufficient cryptography practices that have been consistently identified in mobile application security assessments. Organizations should immediately implement mitigations including immediate migration to stronger cryptographic algorithms such as SHA-256 or SHA-3, implementation of proper session management with secure token generation, and enforcement of secure coding practices to prevent similar issues in future releases. Additionally, the application should incorporate random salt values for each signature generation process to prevent precomputed attacks and ensure that all authentication tokens are properly rotated and validated against known security standards established by NIST SP 800-131A for cryptographic algorithm selection.