Vulnerability Description
Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerability by performing a Man-in-the-Middle (MITM) attack to intercept, decrypt, and modify traffic between the application and the update server. This serves as the basis for further attacks, including Remote Code Execution.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xtooltech | Xtool Anyscan | <= 4.40.40 |
Related Weaknesses (CWE)
References
- https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63432Third Party Advisory
- https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtExploitThird Party Advisory
FAQ
What is CVE-2025-63432?
CVE-2025-63432 is a vulnerability with a CVSS score of 4.6 (MEDIUM). Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker ...
How severe is CVE-2025-63432?
CVE-2025-63432 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-63432?
Check the references section above for vendor advisories and patch information. Affected products include: Xtooltech Xtool Anyscan.