Cyber Resilience

CVE-2025-52024

Critical

Published: 23 January 2026

Published
23 January 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0041 32.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-52024 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Aptsys Gemscms Backend. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-52024 affects the Aptsys POS Platform Web Services module through 2025-05-28. The vulnerability exposes internal API testing tools to unauthenticated users via specific URLs, presenting a directory-style index listing all available backend services and POS web services. Each service includes an HTML form for submitting test input, intended solely for developer use but accessible in production environments without any authentication or session validation.

Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges. By accessing the exposed panels, they can discover, test, and execute API endpoints performing critical functions, including user transaction retrieval, credit adjustments, POS actions, and internal data queries. The issue carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) and maps to CWEs 306 (Missing Authentication for Critical Function), 425 (Direct Request ('Forced Browsing')), and 862 (Missing Authorization).

Advisories and further details, including potential mitigation guidance, are available at http://aptsys.com and https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and…

more

POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Exposed unauthenticated developer API testing interfaces on public-facing web services directly enable remote exploitation of critical backend functions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-52025Same product: Aptsys Gemscms Backend
CVE-2025-52026Same product: Aptsys Gemscms Backend
CVE-2026-30784Shared CWE-306, CWE-862
CVE-2026-44329Shared CWE-306, CWE-862
CVE-2025-70141Shared CWE-306, CWE-862
CVE-2025-70146Shared CWE-306, CWE-862
CVE-2026-25058Shared CWE-306, CWE-862
CVE-2026-44327Shared CWE-306, CWE-862
CVE-2026-44320Shared CWE-306, CWE-862
CVE-2026-44328Shared CWE-306, CWE-862

Affected Assets

aptsys
gemscms backend
≤ 2025-05-28

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification and limitation of critical actions like unauthenticated API testing and execution that are exposed in this vulnerability.

prevent

Mandates enforcement of access control policies to block unauthorized access to sensitive backend services and POS APIs via exposed URLs.

prevent

Requires configuration to provide only essential production capabilities, excluding developer testing tools and interfaces from operational environments.

References