CVE-2025-63435 — MEDIUM (4.3)

Q: How severe is CVE-2025-63435?

CVE-2025-63435 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-63435?

Check the references section above for vendor advisories and patch information. Affected products include: Xtooltech Xtool Anyscan.

Vulnerability Description

Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages..

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Xtooltech	Xtool Anyscan	<= 4.40.40

Related Weaknesses (CWE)

CWE-306

References

https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63435Third Party Advisory
https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtExploitThird Party Advisory

FAQ

What is CVE-2025-63435?

CVE-2025-63435 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not requi...

How severe is CVE-2025-63435?

CVE-2025-63435 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-63435?

Check the references section above for vendor advisories and patch information. Affected products include: Xtooltech Xtool Anyscan.