Cyber Resilience

CVE-2025-26339

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0099 77.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26339 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-26339 is a missing authentication vulnerability (CWE-306) affecting the maxtime/handleRoute.lua component in Q-Free MaxTime versions 2.11.0 and earlier. The flaw permits unauthenticated remote access to a critical function, carrying a CVSS 3.1 base score of 9.8 that reflects network attackability without credentials or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated attacker can send crafted HTTP requests to the affected endpoint and thereby influence device behavior in multiple unspecified ways, potentially leading to complete compromise of the traffic-management system.

The sole reference is an advisory published by Nozomi Networks that describes the issue and is available at the listed URL; no vendor patch or configuration workaround details are supplied in the available data. The associated EPSS score remains low, with a current value of 0.0099 and a peak of 0.0162.

EU & UK References

Vulnerability details

A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Missing authentication in the public-facing web management application (handleRoute.lua) enables unauthenticated remote exploitation for initial access (T1190: Exploit Public-Facing Application) and facilitates denial of service via crafted HTTP requests (T1499.004: Application or System Exploitation), with potential for configuration changes impacting confidentiality, integrity, and availability.

CVEs Like This One

CVE-2025-26362Same product: Q-Free Maxtime
CVE-2025-26363Same product: Q-Free Maxtime
CVE-2025-26344Same product: Q-Free Maxtime
CVE-2025-26366Same product: Q-Free Maxtime
CVE-2025-26365Same product: Q-Free Maxtime
CVE-2025-26359Same product: Q-Free Maxtime
CVE-2025-26347Same product: Q-Free Maxtime
CVE-2025-26361Same product: Q-Free Maxtime
CVE-2025-26364Same product: Q-Free Maxtime
CVE-2025-26341Same product: Q-Free Maxtime

Affected Assets

q-free
maxtime
≤ 2.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 directly requires identification, authorization, and documentation of critical functions like handleRoute.lua that permit access without authentication, mitigating CWE-306 unauthenticated remote exploitation.

prevent

AC-3 enforces approved access control policies that prevent unauthenticated attackers from accessing critical functions via crafted HTTP requests.

prevent

SC-14 enforces authorizations for public web interfaces and APIs, directly protecting exposed HTTP endpoints like handleRoute.lua from unauthenticated compromise.

References