Cyber Resilience

CVE-2024-52786

CriticalRCE

Published: 22 August 2025

Published
22 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0093 76.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52786 is a critical-severity Code Injection (CWE-94) vulnerability in Gitee (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-52786 is an authentication bypass vulnerability in anji-plus AJ-Report versions up to v1.4.2. The flaw allows unauthenticated attackers to execute arbitrary code by sending a crafted URL to the vulnerable application. It is linked to CWE-94 (code injection) and CWE-287 (improper authentication), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Unauthenticated remote attackers can exploit this vulnerability without privileges or user interaction. By crafting a malicious URL, they gain the ability to execute arbitrary code on the target system, resulting in high impacts to confidentiality, integrity, and availability, such as data theft, modification, or denial of service.

Advisories and further details on mitigation are documented at https://gitee.com/anji-plus/report/issues/IB3ED6 and https://gitee.com/fushuling/cve/blob/master/CVE-2024-52786.md.

EU & UK References

Vulnerability details

An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in public-facing web app directly enables remote arbitrary code execution via crafted URL (CWE-94/287).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71279Shared CWE-287
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13804Shared CWE-287
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94

Affected Assets

Gitee
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the authentication bypass vulnerability in AJ-Report by identifying, reporting, and applying patches to prevent arbitrary code execution.

prevent

Enforces approved access control policies to block unauthenticated access to the vulnerable reporting functionality exploited via crafted URLs.

prevent

Validates information inputs from crafted URLs to prevent code injection attacks that leverage the authentication bypass.

References