Xtool Anyscan
CVE-2025-63433
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package.
AnalysisAI
Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Use of Hard-coded Credentials (CWE-798), which allows attackers to gain access using credentials embedded in source code. Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package. Affected products include: Xtooltech Xtool Anyscan.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Remove hard-coded credentials, use environment variables or secrets management, rotate exposed credentials immediately.
More in Xtool Anyscan
View allThe update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. Rated high severity (
Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. Rated medium severi
Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. Rated medium severi
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today