CVE-2025-68713
HighCVSS 8.0Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
A vulnerability was discovered in Rakuten Send Anywhere for Android (version 23.2.9) that allows untrusted applications to force arbitrary file downloads into the app's storage. These files appear in the application's trusted Received interface, creating a vector for arbitrary code execution or denial-of-service through resource exhaustion.
Risk Assessment
The organization may be exposed to malicious code execution or denial-of-service attacks, potentially leading to data loss or application downtime.
Recommendation
It is recommended to update the application to the latest version and to monitor and restrict access to the application to minimize the risk of exploitation of this vulnerability.
Original NVD description (English source)
An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.

