CVE-2025-63435
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-24

Last updated on: 2025-11-28

Assigner: MITRE

Description
Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages..
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-24
Last Modified
2025-11-28
Generated
2026-06-16
AI Q&A
2025-11-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63435
EUVD
EUVD-2025-198964
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xtooltech xtool_anyscan to 4.40.40 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Xtooltech Xtool AnyScan Android Application 4.40.40 is that the server-side endpoint responsible for serving update packages does not require any authentication. This means that an unauthenticated remote attacker can freely download official update packages without any restrictions.

Impact Analysis

This vulnerability could allow an attacker to download official update packages without authorization. While the description does not specify further impacts, unauthorized access to update packages could potentially lead to information disclosure or facilitate further attacks if the packages are sensitive or if the attacker uses the information maliciously.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63435. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart