CVE-2025-26339
Published: 12 February 2025
Summary
CVE-2025-26339 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-26339 is a missing authentication vulnerability (CWE-306) affecting the maxtime/handleRoute.lua component in Q-Free MaxTime versions 2.11.0 and earlier. The flaw permits unauthenticated remote access to a critical function, carrying a CVSS 3.1 base score of 9.8 that reflects network attackability without credentials or user interaction and full impact on confidentiality, integrity, and availability.
An unauthenticated attacker can send crafted HTTP requests to the affected endpoint and thereby influence device behavior in multiple unspecified ways, potentially leading to complete compromise of the traffic-management system.
The sole reference is an advisory published by Nozomi Networks that describes the issue and is available at the listed URL; no vendor patch or configuration workaround details are supplied in the available data. The associated EPSS score remains low, with a current value of 0.0099 and a peak of 0.0162.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4151
Vulnerability details
A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication in the public-facing web management application (handleRoute.lua) enables unauthenticated remote exploitation for initial access (T1190: Exploit Public-Facing Application) and facilitates denial of service via crafted HTTP requests (T1499.004: Application or System Exploitation), with potential for configuration changes impacting confidentiality, integrity, and availability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 directly requires identification, authorization, and documentation of critical functions like handleRoute.lua that permit access without authentication, mitigating CWE-306 unauthenticated remote exploitation.
AC-3 enforces approved access control policies that prevent unauthenticated attackers from accessing critical functions via crafted HTTP requests.
SC-14 enforces authorizations for public web interfaces and APIs, directly protecting exposed HTTP endpoints like handleRoute.lua from unauthenticated compromise.