CVE-2025-52024
CRITICALAptsys POS Platform Web Services < 2025-05-28 - Unauthenticated API Exposure via Internal Testing Tools
Title source: llmDescription
A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries.
References (2)
Core 2
Core References
Product
http://aptsys.com
Third Party Advisory
https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39
Scores
CVSS v3
9.4
EPSS
0.0041
EPSS Percentile
32.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-306
CWE-425
CWE-862
Status
published
Products (1)
aptsys/gemscms_backend
< 2025-05-28
Published
Jan 23, 2026
Tracked Since
Feb 18, 2026