Description
An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.
Published: 2026-06-15
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Android application designed for file transfer, Rakuten Send Anywhere, is affected by a flaw that permits any untrusted app without permissions to compel the target app to download arbitrary files into its scoped storage. The victim files become visible in the trusted Received list, enabling the attacker to supply an APK that can be executed, thereby potentially achieving code execution. If the attacker supplies a large file, the target app may also suffer a denial of service by exhausting local resources.

Affected Systems

The flaw affects Rakuten Send Anywhere version 23.2.9 running on Android devices; only this version is listed as vulnerable.

Risk and Exploitability

The CVSS score of 8 indicates high severity, but the EPSS value of less than 1 % suggests that exploitation in the wild is currently unlikely. The vulnerability is not yet recorded in CISA’s KEV catalogue. The exploit requires the presence of a malicious background app that can issue download requests, so the attack surface is limited to devices where such untrusted apps are installed and able to trigger the attack.

Generated by OpenCVE AI on June 18, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Rakuten Send Anywhere Android app that includes the security fix
  • Identify and uninstall any untrusted applications that can trigger file downloads to the target app
  • Disable Android’s permission to download unknown APKs from third‑party sources or enforce a device policy that blocks such writes to scoped storage

Generated by OpenCVE AI on June 18, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rakuten
Rakuten send Anywhere For Android
Vendors & Products Rakuten
Rakuten send Anywhere For Android

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Arbitrary File Download in Rakuten Send Anywhere Android App Enables Potential Code Execution

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Arbitrary File Download in Rakuten Send Anywhere Android App Enables Potential Code Execution

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-926
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.
References

Subscriptions

Rakuten Send Anywhere For Android
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T13:09:19.777Z

Reserved: 2025-12-24T00:00:00.000Z

Link: CVE-2025-68713

cve-icon Vulnrichment

Updated: 2026-06-16T13:08:49.196Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:24.703

Modified: 2026-06-16T15:51:29.037

Link: CVE-2025-68713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:38Z

Weaknesses
  • CWE-926

    Improper Export of Android Application Components