从这个网页截图中获取到的关于漏洞的关键信息如下: CVE Reference: CVE-2025-63433 Vulnerability: Hardcoded Cryptographic Key in Xtool AnyScan Android Application Vulnerability Description: - The Xtooltex AnyScan Android Application (versions 4.40.40 and prior) utilizes a hardcoded cryptographic key and Initialization Vector (IV) to decrypt sensitive update metadata. This key is stored statically within the application's code, making it easily accessible via reverse engineering. An attacker who has successfully intercepted the application's network traffic can use this key, along with the DES algorithm also used by the application, to decrypt, modify, and re-encrypt the update manifest. This allows the attacker to direct the application to download and execute a malicious update package. Vulnerability Type: - Use of Hard-coded Cryptographic Key Key Attack Vector: - Reverse Engineering: An attacker easily extracts the hardcoded DES key and IV from the application's source code. - Traffic Interception: The attacker must first intercept the network traffic (often achieved via a prior Man-in-the-Middle attack). - Decryption and Forgery: An attacker can then decrypts the legitimate update metadata and craft a malicious one. - Re-encryption and Injection: The malicious payload is re-encrypted and injected back into the application's network stream. Affected Component: - Severity: Additional Information: - This vulnerability is a critical step in the overall exploit chain that results in Remote Code Execution (RCE). It is exploited after a Man-in-the-Middle attack is established. The predictable, hardcoded key allows an attacker to completely forge update instructions and achieve arbitrary code execution. Affected Product: - Vendor: Xtooltex - Product: Xtool AnyScan Android Application - Affected Versions: All versions up to and including 4.40.40 References: - Primary Reference: [https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/] - Vendor Acknowledgment: Yes Discovery: - Discoverers: Chase Abel, Jake Van Dyke