Home
Description
Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages..
References
www.nowsecure.com/...yscan-app-risks-to-phones-and-vehicles/
github.com/ab3lson/cve-references/tree/master/CVE-2025-63435
