Search
Search Results (3 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-63434 | 2 Google, Xtooltech | 2 Android, Anyscan | 2025-11-26 | 8.8 High |
| The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on their contents. An attacker who can control the update metadata can serve a malicious package, which the application will accept, extract, and later execute, leading to arbitrary code execution. | ||||
| CVE-2025-63435 | 2 Google, Xtooltech | 2 Android, Anyscan | 2025-11-26 | 4.3 Medium |
| Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages.. | ||||
| CVE-2025-63433 | 2 Google, Xtooltech | 2 Android, Anyscan | 2025-11-26 | 4.6 Medium |
| Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package. | ||||
Page 1 of 1.