Vulnerability Description
Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xtooltech | Xtool Anyscan | <= 4.40.40 |
Related Weaknesses (CWE)
References
- https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63433Third Party Advisory
- https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtExploitThird Party Advisory
FAQ
What is CVE-2025-63433?
CVE-2025-63433 is a vulnerability with a CVSS score of 4.6 (MEDIUM). Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. A...
How severe is CVE-2025-63433?
CVE-2025-63433 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-63433?
Check the references section above for vendor advisories and patch information. Affected products include: Xtooltech Xtool Anyscan.