CVE-2025-26339
Published: 12 February 2025
Summary
CVE-2025-26339 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 directly requires identification, authorization, and documentation of critical functions like handleRoute.lua that permit access without authentication, mitigating CWE-306 unauthenticated remote exploitation.
AC-3 enforces approved access control policies that prevent unauthenticated attackers from accessing critical functions via crafted HTTP requests.
SC-14 enforces authorizations for public web interfaces and APIs, directly protecting exposed HTTP endpoints like handleRoute.lua from unauthenticated compromise.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication in the public-facing web management application (handleRoute.lua) enables unauthenticated remote exploitation for initial access (T1190: Exploit Public-Facing Application) and facilitates denial of service via crafted HTTP requests (T1499.004: Application or System Exploitation), with potential for configuration changes impacting confidentiality, integrity, and availability.
NVD Description
A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26339, published on 2025-02-12, is a critical vulnerability with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It manifests as a CWE-306 Missing Authentication for Critical Function in the maxtime/handleRoute.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables unauthenticated remote attackers to compromise the device's confidentiality, integrity, or availability in multiple unspecified ways by sending crafted HTTP requests.
The attack scenario targets systems exposed to the network running the affected Q-Free MaxTime software. Unauthenticated remote attackers require no privileges, user interaction, or special conditions beyond network access and low attack complexity. Exploitation can achieve high impacts across confidentiality, integrity, and availability, potentially allowing full device compromise through the unprotected critical function.
Mitigation details are outlined in the advisory published by Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26339. No specific patch or workaround information is detailed in the CVE description.
Details
- CWE(s)