exploitDog

CVE-2025-63435

Опубликовано: 24 нояб. 2025

Источник: nvd

CVSS3: 4.3

EPSS Низкий

Описание

Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages..

Ссылки

https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63435
Third Party Advisory
https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:xtooltech:xtool_anyscan:*:*:*:*:*:android:*:*

Версия до 4.40.40 (включая)

EPSS

Процентиль: 27%

0.00094

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-306

Связанные уязвимости

GHSA-xx5r-8vrj-6x6c

CVSS3: 4.3

github

2 месяца назад

Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages..

EPSS

Процентиль: 27%

0.00094

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-306