The update mechanism in Xtooltech Xtool AnyScan Android...
High severity
Unreviewed
Published
Nov 24, 2025
to the GitHub Advisory Database
•
Updated Nov 24, 2025
Description
Published by the National Vulnerability Database
Nov 24, 2025
Published to the GitHub Advisory Database
Nov 24, 2025
Last updated
Nov 24, 2025
The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on their contents. An attacker who can control the update metadata can serve a malicious package, which the application will accept, extract, and later execute, leading to arbitrary code execution.
References