What is the CVSS score of CVE-2025-63435?

CVE-2025-63435 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Android are affected by CVE-2025-63435?

Organizations using Xtooltech Xtool AnyScan Android Application 4.40.40 should be aware of moderate risk from CVE-2025-63435, a missing authentication vulnerability rated CVSS 4.3.

Is there a public PoC exploit available for CVE-2025-63435?

Yes, a public proof-of-concept exploit is available for CVE-2025-63435. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-63435?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Audit authentication configurations.

Android CVE-2025-63435

MEDIUM

Missing Authentication for Critical Function (CWE-306)

2025-11-24 cve@mitre.org

Authentication Bypass Google Android Xtool Anyscan

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:23 vuln.today

PoC Detected

Nov 28, 2025 - 17:06 vuln.today

Public exploit code

CVE Published

Nov 24, 2025 - 17:16 nvd

MEDIUM 4.3

DescriptionNVD

Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages..

AnalysisAI

Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authentication for Critical Function (CWE-306), which allows attackers to access critical functionality without authentication. Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages.. Affected products include: Xtooltech Xtool Anyscan.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Require authentication for all sensitive operations, implement defense in depth.

More from same product – last 7 days

CVE-2026-48235 HIGH This Week

8.8 May 21

SQL injection in Open ISES Tickets before 3.44.2 allows attackers controlling or impersonating an InstaMapper or Google

CVE-2026-44739 HIGH This Week

8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config

CVE-2026-48246 HIGH This Week

8.2 May 21

TLS certificate verification bypass in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept

CVE-2026-48244 MEDIUM This Month

6.9 May 21

Hardcoded Google Maps API key exposure in Open ISES Tickets before v3.44.2 enables any party with read access to the pub

CVE-2026-48245 MEDIUM This Month

6.9 May 21

Open ISES Tickets exposes a hardcoded Google Maps API key committed directly to its public GitHub source repository in t

CVE-2025-63435 vulnerability details – vuln.today

Back

Android CVE-2025-63435

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code