CVE-2025-63433

Published: Nov 24, 2025

Modified: Nov 24, 2025

PUBLISHED

Description

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/

https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63433

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-63433

Description

Affected Products

References