CVE-2025-1102
Published: 12 February 2025
Summary
CVE-2025-1102 is a medium-severity Origin Validation Error (CWE-346) vulnerability in Q-Free Maxtime. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by identifying, reporting, and remediating the specific flaw in CORS origin validation through patching as specified in the advisory.
Ensures secure baseline configuration settings for the Q-Free MaxTime application, including proper CORS origin validation to block unauthorized cross-origin requests.
Requires validation of HTTP inputs such as the Origin header to prevent exploitation of the CWE-346 origin validation error via crafted requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CORS origin validation error (CWE-346) in Q-Free MaxTime web management interface enables unauthenticated remote attackers to bypass security policies and access/manipulate sensitive data via crafted URLs/HTTP requests, facilitating exploitation of a public-facing application.
NVD Description
A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability via crafted URLs or HTTP requests.
Deeper analysisAI
CVE-2025-1102 is a CWE-346 Origin Validation Error in the CORS configuration of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, this vulnerability enables an unauthenticated remote attacker to impact the device's confidentiality, integrity, or availability through crafted URLs or HTTP requests. The issue stems from improper origin validation, with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), indicating moderate severity primarily due to high confidentiality impact requiring local access and user interaction.
An unauthenticated remote attacker can exploit this vulnerability by tricking a user into interacting with maliciously crafted URLs or HTTP requests. Although the CVSS vector specifies local access (AV:L), the description notes remote exploitation potential, likely involving social engineering to induce user interaction (UI:R) with low complexity (AC:L) and no privileges required (PR:N). Successful exploitation allows the attacker to compromise device confidentiality, with no direct impact on integrity or availability.
Mitigation details are available in the advisory published by Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-1102. Security practitioners should consult this reference for patching instructions, workarounds, or configuration changes specific to Q-Free MaxTime deployments.
Details
- CWE(s)