External risk intelligence

Setracker2 Android App Weak Authentication Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-9222

The vulnerability affects a mobile companion application that communicates with backend services. While these services are network-reachable, mobile app backends are not inherently public-facing web services or edge gateways. Exposure depends on the specific deployment of the backend infrastructure, which is not clearly established as public-facing by design in the provided context.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

The Setracker2 Android Companion App has a vulnerability where it improperly handles authentication, potentially allowing an attacker to gain full access if they know a password hash. This could impact systems that rely on this app for client-side authentication with backend services. The main concern is confirming relevance and exposure.

  • An app flaw allows unauthorized access with a password hash.
  • Its existence may warrant review of associated backend systems.
  • Confirm if this app is used and exposed to any risk.

Attack Path

How an attacker could exploit the issue

An attacker could reach the Setracker2 Android Companion App's backend services and gain unauthorized access if they know the password hash. This vulnerability allows an unauthenticated attacker to authenticate with the backend, potentially leading to full system compromise.

  • Requires knowledge of a password hash.
  • Authentication with backend services.
  • Full system access and compromise.

Live Threat

Current exploitation, exposure, and threat context

The Setracker2 Android Companion App could allow an attacker who knows the password hash to authenticate to backend services and gain full access when supported by the advisory.

  • Backend service authentication.
  • Attacker uses known password hash.
  • Unauthorized full access to services.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Android Companion App requires immediate attention from application owners and infrastructure teams to identify all instances of the affected application and its backend services. The first practical step is to determine the reachability and business criticality of these backend services to prioritize remediation efforts and coordinate with the vendor for a solution.

  • Application and infrastructure teams own this.
  • Verify backend service reachability and criticality.
  • Plan vendor coordination for remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Setracker2 Android app?

Setracker2 is a mobile companion application (com.tgelec.setracker) used to manage and interface with connected tracking devices. It acts as the bridge between the user's mobile device and backend services that process location data and device commands. In versions 3.1.5 and earlier, this app facilitates the communication required for authorized users to interact with their registered hardware.

What does CWE-836 mean for CVE-2026-9222?

This vulnerability is classified as CWE-836, which refers to the use of a password hash as an authentication credential. Essentially, the app's design mistakenly treats the hash as the equivalent of a cleartext password. Because the backend expects only this hash to verify identity, an attacker who obtains the hash can bypass the intended authentication process entirely and masquerade as a legitimate user.

How does an attacker trigger this vulnerability?

To exploit this, an attacker must possess the specific password hash for an account. If they have this hash, they can present it to the backend services as if it were a valid password to authenticate. It is important to note that the vulnerability is not triggered by simply scanning the network; it requires knowledge of valid account-specific data. Without the correct hash, the backend does not grant unauthorized access.

Do I need to worry about this if I use Setracker2?

Halo Surface Signal indicates that while the app's backend services are reachable over a network, they may not be inherently public-facing by design. You should assess whether your specific backend infrastructure is exposed to the internet. If your services are accessible externally, the risk of an attacker attempting to use a captured hash to gain full access to your system is significantly higher than for internal or restricted environments.

What should I do first to address this CVE?

Your priority is to identify where the affected version of the Setracker2 app and its associated backend services are currently deployed in your environment. Once identified, evaluate the network accessibility and business criticality of those backend services. Coordinate with your infrastructure teams to restrict access where possible and monitor for any vendor-provided updates that address how the application handles authentication.

References