CVE-2025-63432
BaseFortify
Publication date: 2025-11-24
Last updated on: 2025-11-28
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xtooltech | xtool_anyscan | to 4.40.40 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-599 | The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Xtooltech Xtool AnyScan Android Application version 4.40.40 and earlier, where the app does not properly validate the SSL/TLS certificates from its update server. This flaw allows an attacker on the same network to perform a Man-in-the-Middle (MITM) attack, intercepting, decrypting, and modifying the communication between the app and the update server. This can lead to further attacks such as Remote Code Execution.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to intercept and alter the data exchanged between the application and its update server. This can lead to unauthorized code execution on the device, potentially compromising the device's security, data integrity, and user privacy.