CVE-2025-63434
HIGHDescription
The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on their contents. An attacker who can control the update metadata can serve a malicious package, which the application will accept, extract, and later execute, leading to arbitrary code execution.
Is your site exposed to CVE-2025-63434?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| xtooltech | xtool_anyscan |
References
Frequently Asked Questions
What is CVE-2025-63434? +
How severe is CVE-2025-63434? +
What products are affected by CVE-2025-63434? +
How do I check if I'm vulnerable to CVE-2025-63434? +
Related Vulnerabilities
iSTAR Ultra performs a firmware verification on boot, however the verification does not inspect certain portions of the firmware. These …
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or …
Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP …
Vulnerability in PointCloudLibrary PCL (surface/src/3rdparty/opennurbs modules). This vulnerability is associated with program files crc32.C. This vulnerability is only relevant if …
This vulnerability exists in the TP-Link Archer C50 due to improper signature verification mechanism in the firmware upgrade process at …
A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the …