CVE-2025-26341
Published: 12 February 2025
Summary
CVE-2025-26341 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification and limitation of critical functions, such as password resets, that permit actions without authentication, preventing unauthenticated exploitation.
Enforces approved authorizations for access to system resources, ensuring authentication is required for sensitive operations like arbitrary password resets.
Manages user accounts and access authorizations, including procedures to protect against unauthorized password modifications or resets.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated password reset vulnerability in a exposed management web app enables exploitation of public-facing application (T1190), direct account manipulation via password changes (T1098), and obtaining valid accounts for further access (T1078).
NVD Description
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26341, published on 2025-02-12, is a critical vulnerability with a CVSS v3.1 base score of 9.8, classified under CWE-306 (Missing Authentication for Critical Function). It affects Q-Free MaxTime versions less than or equal to 2.11.0, specifically in the maxprofile/accounts/routes.lua component. The flaw allows an unauthenticated remote attacker to reset arbitrary user passwords by sending crafted HTTP requests, bypassing any authentication checks for this sensitive operation.
The attack scenario targets systems exposed to the network, requiring no privileges, user interaction, or special conditions (AV:N/AC:L/PR:N/UI:N/S:U). An unauthenticated remote attacker can exploit this to reset passwords for any user account, leading to high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H). This could enable full account takeover, privilege escalation, or broader system compromise depending on the targeted accounts.
Mitigation details are available in the advisory published by Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26341.
Details
- CWE(s)