CVE-2025-63432

MEDIUM

4.6

Descripcion

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerability by performing a Man-in-the-Middle (MITM) attack to intercept, decrypt, and modify traffic between the application and the update server. This serves as the basis for further attacks, including Remote Code Execution.

Detalles CVE

Puntuacion CVSS v3.14.6

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosLOW

Interaccion usuarioREQUIRED

Publicado11/24/2025

Ultima modificacion11/28/2025

Fuentenvd

Avistamientos honeypot0

Productos afectados

xtooltech:xtool_anyscan

Debilidades (CWE)

CWE-599

Referencias

https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63432(cve@mitre.org)

https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/(cve@mitre.org)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.