Cyber Posture

CVE-2025-26343

High

Published: 12 February 2025

Published
12 February 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 67.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26343 is a high-severity Weak Authentication (CWE-1390) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 32.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Password Guessing (T1110.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match
prevent

Directly mitigates brute-force PIN attacks by enforcing limits on consecutive unsuccessful logon attempts and automatic account lockouts.

IA-5 Authenticator Management good match
prevent

Ensures PIN authenticators have sufficient strength of mechanism and are managed to resist brute-force guessing through proper distribution, refresh, and protection.

SC-5 Denial-of-service Protection partial match
prevent

Provides rate-based attack prevention and denial-of-service protections at network boundaries to limit the volume of crafted HTTP requests used in PIN brute-forcing.

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated remote brute-force attacks on user PINs via HTTP requests, directly facilitating Password Guessing (T1110.001).

NVD Description

A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.

Deeper analysisAI

CVE-2025-26343 is a CWE-1390 "Weak Authentication" vulnerability in the PIN authentication mechanism of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables an unauthenticated remote attacker to brute-force user PINs by sending multiple crafted HTTP requests, undermining the security of the authentication process. The vulnerability received a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its high impact on confidentiality, integrity, and availability despite requiring high attack complexity.

An unauthenticated attacker with network access to the affected Q-Free MaxTime instance can exploit this vulnerability by repeatedly submitting crafted HTTP requests to guess user PINs. Successful brute-forcing grants unauthorized access to authenticated user sessions or resources protected by the PIN mechanism, potentially allowing full compromise of the system with high confidentiality, integrity, and availability impacts.

For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26343. The vulnerability was publicly disclosed on 2025-02-12.

Details

CWE(s)
CWE-1390

Affected Products

q-free
maxtime
≤ 2.11.0

CVEs Like This One

CVE-2025-26349Same product: Q-Free Maxtime
CVE-2025-26371Same product: Q-Free Maxtime
CVE-2025-1100Same product: Q-Free Maxtime
CVE-2025-26342Same product: Q-Free Maxtime
CVE-2025-26346Same product: Q-Free Maxtime
CVE-2025-26347Same product: Q-Free Maxtime
CVE-2025-26372Same product: Q-Free Maxtime
CVE-2025-26341Same product: Q-Free Maxtime
CVE-2025-26339Same product: Q-Free Maxtime
CVE-2025-26370Same product: Q-Free Maxtime

References