CVE-2025-52024
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-02-11

Assigner: MITRE

Description
A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-52024
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aptsys gemscms_backend to 2025-05-28 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-425 The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Aptsys POS Platform Web Services module allows unauthenticated users to access internal API testing tools. By visiting certain URLs, an attacker can see a directory listing of backend services and POS web services, each with an HTML form to submit test inputs. These tools, meant for developers, are exposed in production without any authentication or session checks, enabling attackers to discover, test, and execute critical API endpoints.

Impact Analysis

The vulnerability allows any external attacker to access and execute critical backend API functions such as user transaction retrieval, credit adjustments, POS actions, and internal data queries without authentication. This can lead to unauthorized data access, manipulation of transactions, and potentially fraudulent activities impacting business operations and customer data integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-52024. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart