CVE-2025-68713

HIGH

Rakuten Send Anywhere for Android 23.2.9 - Unauthenticated Arbitrary File Download and Code Execution

Title source: llm

Description

An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.

References (1)

Core 1

Core References

https://github.com/actuator/com.estmob.android.sendanywhere/blob/main/CVE-2025-68713

View Writeup ZIP pw:eip

Scores

CVSS v3 8.0

EPSS 0.0028

EPSS Percentile 19.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-926

Status published

Published Jun 15, 2026

Tracked Since Jun 16, 2026