CVE-2025-26342
Published: 12 February 2025
Summary
CVE-2025-26342 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 directly mandates identification and restriction of critical functions like user creation that are permitted without authentication, preventing unauthenticated arbitrary account creation.
AC-3 enforces access control policies to block unauthenticated remote attackers from accessing the vulnerable user creation endpoint in maxprofile/accounts/routes.lua.
AC-2 governs account management processes to ensure only authorized entities can create users, including administrators, mitigating exploitation of the missing authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication in web application allows unauthenticated remote creation of arbitrary local administrator accounts, enabling T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation), and T1136.001 (Create Account: Local Account).
NVD Description
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26342, published on 2025-02-12, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified as CWE-306, Missing Authentication for Critical Function. It affects the maxprofile/accounts/routes.lua component in Q-Free MaxTime versions less than or equal to 2.11.0. The issue enables unauthenticated remote attackers to create arbitrary users, including administrators, by sending crafted HTTP requests.
An unauthenticated remote attacker with network access can exploit this vulnerability without requiring privileges, user interaction, or special conditions due to its low attack complexity. Exploitation allows the creation of unauthorized accounts with elevated privileges, such as administrator roles, potentially compromising the entire system through unauthorized access, data manipulation, and disruption.
For details on mitigation, including any patches or workarounds, refer to the advisory from Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26342.
Details
- CWE(s)