CVE Reference (CVE-2025-63435) Vulnerability Details CVE Description The server-side endpoint responsible for hosting and serving update packages for the Xtool AnyScan Android Application (versions 4.40.40 and prior) does not require any authentication. This vulnerability allows any unauthenticated remote attacker to freely and directly download all official update packages meant for the application. Vulnerability Type Missing Authentication for Critical Function Key Attack Vector Direct Download: An attacker can directly access the vendor's servers to download legitimate update packages. Reconnaissance: This access allows the attacker to analyze the official files, understand the expected file structure, naming conventions, and contents. Exploit Development Aid: This information significantly lowers the barrier for an attacker to develop a working exploit. Affected Component The server-side endpoints responsible for hosting and serving official update packages for the application. Impact Severity Additional Information While this vulnerability is not a direct part of the Remote Code Execution (RCE) exploit chain, it is a key enabler. It gives potential attackers a crucial advantage in the reconnaissance phase required to craft malicious payloads used in the final stage of the RCE attack. Affected Product Vendor: Xtooltech Product: Xtool AnyScan Android Application Affected Versions: All versions up to and including 4.40.40 References Primary Reference: Remote Code Execution Discovered in Xtool AnyScan App: Risks to Phones and Vehicles Discovery Discoverers: Chase Abel, Jake Van Dyke