CVE-2024-52786
Published: 22 August 2025
Summary
CVE-2024-52786 is a critical-severity Code Injection (CWE-94) vulnerability in Gitee (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-52786 is an authentication bypass vulnerability in anji-plus AJ-Report versions up to v1.4.2. The flaw allows unauthenticated attackers to execute arbitrary code by sending a crafted URL to the vulnerable application. It is linked to CWE-94 (code injection) and CWE-287 (improper authentication), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated remote attackers can exploit this vulnerability without privileges or user interaction. By crafting a malicious URL, they gain the ability to execute arbitrary code on the target system, resulting in high impacts to confidentiality, integrity, and availability, such as data theft, modification, or denial of service.
Advisories and further details on mitigation are documented at https://gitee.com/anji-plus/report/issues/IB3ED6 and https://gitee.com/fushuling/cve/blob/master/CVE-2024-52786.md.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54902
Vulnerability details
An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing web app directly enables remote arbitrary code execution via crafted URL (CWE-94/287).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the authentication bypass vulnerability in AJ-Report by identifying, reporting, and applying patches to prevent arbitrary code execution.
Enforces approved access control policies to block unauthenticated access to the vulnerable reporting functionality exploited via crafted URLs.
Validates information inputs from crafted URLs to prevent code injection attacks that leverage the authentication bypass.