CVE-2025-63432

MEDIUM

Xtooltech Xtool AnyScan <4.40.40 - SSL Validation

Title source: llm

Description

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerability by performing a Man-in-the-Middle (MITM) attack to intercept, decrypt, and modify traffic between the application and the update server. This serves as the basis for further attacks, including Remote Code Execution.

References (2)

Core 2

Core References

Third Party Advisory

https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63432

View Writeup ZIP pw:eip

Exploit, Third Party Advisory

https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/

Scores

CVSS v3 4.6

EPSS 0.0004

EPSS Percentile 10.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-599

Status published

Products (1)

xtooltech/xtool_anyscan < 4.40.40

Published Nov 24, 2025

Tracked Since Feb 18, 2026