CVE-2025-68713

Vulnerability

The vulnerability resides in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) version 23.2.9. The flaw allows untrusted applications that hold no permissions to force the app to download arbitrary files into its scoped storage. Once downloaded, these files appear in the application's trusted Received interface, which normally only shows user-approved transfers [1].

Exploitation

An attacker with a malicious app installed on the same device can exploit this without needing any permissions. By invoking an unprotected component or abusing an implicit intent, the attacker can trigger a download of an arbitrary file (from any URL the app can reach) into the app's private storage directory. No user interaction is required beyond the user having the vulnerable app installed. The attack does not require network position or authentication [1].

Impact

Successful exploitation results in the attacker’s chosen file being placed into the Send Anywhere received files folder. If the payload is an APK file, the attacker can achieve arbitrary code execution when the user opens the file (e.g., tapping on it in the received interface). Alternatively, transferring an oversized file can cause denial-of-service through resource exhaustion. The attacker gains no elevated privileges on the system but can abuse the app’s trusted position to trick the user into executing malicious content [1].

Mitigation

As of the available reference [1], no patch or updated version has been released by Rakuten for 23.2.9. The vendor has not publicly acknowledged the issue or provided a workaround. Users are advised to uninstall the app or restrict its usage until a fix is available. The vulnerability is not listed in CISA’s KEV catalog as of this writing.