CVE-2024-12866

HighPublic PoC

Published: 20 March 2025

Published

20 March 2025

Modified

01 August 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0047 64.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.

Security Summary

CVE-2024-12866 is a local file inclusion vulnerability (CWE-22) affecting netease-youdao/qanything version v2.0.0. Published on 2025-03-20, it enables attackers to read arbitrary files on the file system, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows reading sensitive files such as private SSH keys, private files, source code, and configuration files, potentially leading to remote code execution.

Mitigation details are available in the advisory published on Huntr at https://huntr.com/bounties/c23da7c7-a226-40a2-83db-6a8ab1b2ef64.

Details

CWE(s): CWE-22

Affected Products

youdao

qanything

2.0.0

AI Security Analysis

AI Category: Enterprise AI Assistants
Risk Domain: Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: QAnything (netease-youdao/qanything) is an open-source AI-native platform for private knowledge base conversations, functioning as an enterprise AI assistant for document querying and RAG-based interactions. The vulnerability is reported on an AI/ML bug bounty platform (huntr.com), confirming its AI context.

MITRE ATT&CK Enterprise Techniques

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

T1552.004 Private Keys Credential Access

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.

attack.mitre.org →

Why these techniques?

LFI vulnerability enables exploitation of public-facing application (T1190), arbitrary file reads for file/directory discovery (T1083) and data collection from local system (T1005), and access to unsecured credentials in files including private SSH keys (T1552.001, T1552.004).

References

https://huntr.com/bounties/c23da7c7-a226-40a2-83db-6a8ab1b2ef64
Exploit, Third Party Advisory · security@huntr.dev