CVE-2025-63433
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-24

Last updated on: 2025-11-28

Assigner: MITRE

Description
Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-24
Last Modified
2025-11-28
Generated
2026-06-16
AI Q&A
2025-11-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63433
EUVD
EUVD-2025-198966
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xtooltech xtool_anyscan to 4.40.40 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Xtooltech Xtool AnyScan Android Application version 4.40.40 and earlier. The application uses a hardcoded cryptographic key and initialization vector (IV) within its code to decrypt update metadata. Because the key is static and embedded in the app, an attacker who can intercept network traffic can use this key to decrypt, modify, and then re-encrypt the update manifest. This manipulation allows the attacker to trick the application into downloading and installing a malicious update package.

Impact Analysis

If exploited, this vulnerability can allow an attacker to deliver malicious updates to the application by intercepting and altering the update metadata. This could lead to the installation of malicious software on the device, potentially compromising the device's security, data integrity, and user privacy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart