Vulnerability Details CVE-2025-63433
Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 9.6%
CVSS Severity
CVSS v3 Score 4.6
References
Products affected by CVE-2025-63433
-
cpe:2.3:a:xtooltech:xtool_anyscan:4.28.5
-
cpe:2.3:a:xtooltech:xtool_anyscan:4.28.9
-
cpe:2.3:a:xtooltech:xtool_anyscan:4.39.1
-
cpe:2.3:a:xtooltech:xtool_anyscan:4.39.4
-
cpe:2.3:a:xtooltech:xtool_anyscan:4.39.8
-
cpe:2.3:a:xtooltech:xtool_anyscan:4.40.11
-
cpe:2.3:a:xtooltech:xtool_anyscan:4.40.36
-
cpe:2.3:a:xtooltech:xtool_anyscan:4.40.40