Cyber Resilience

CVE-2025-26343

High

Published: 12 February 2025

Published
12 February 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 68.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26343 is a high-severity Weak Authentication (CWE-1390) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 31.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-26343 is a CWE-1390 "Weak Authentication" vulnerability in the PIN authentication mechanism of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables an unauthenticated remote attacker to brute-force user PINs by sending multiple crafted HTTP requests, undermining the security of the authentication process. The vulnerability received a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its high impact on confidentiality, integrity, and availability despite requiring high attack complexity.

An unauthenticated attacker with network access to the affected Q-Free MaxTime instance can exploit this vulnerability by repeatedly submitting crafted HTTP requests to guess user PINs. Successful brute-forcing grants unauthorized access to authenticated user sessions or resources protected by the PIN mechanism, potentially allowing full compromise of the system with high confidentiality, integrity, and availability impacts.

For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26343. The vulnerability was publicly disclosed on 2025-02-12.

EU & UK References

Vulnerability details

A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

The vulnerability enables unauthenticated remote brute-force attacks on user PINs via HTTP requests, directly facilitating Password Guessing (T1110.001).

CVEs Like This One

CVE-2025-26349Same product: Q-Free Maxtime
CVE-2025-26347Same product: Q-Free Maxtime
CVE-2025-26369Same product: Q-Free Maxtime
CVE-2025-26371Same product: Q-Free Maxtime
CVE-2025-26344Same product: Q-Free Maxtime
CVE-2025-26339Same product: Q-Free Maxtime
CVE-2025-1102Same product: Q-Free Maxtime
CVE-2025-26348Same product: Q-Free Maxtime
CVE-2025-26363Same product: Q-Free Maxtime
CVE-2025-26365Same product: Q-Free Maxtime

Affected Assets

q-free
maxtime
≤ 2.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates brute-force PIN attacks by enforcing limits on consecutive unsuccessful logon attempts and automatic account lockouts.

prevent

Ensures PIN authenticators have sufficient strength of mechanism and are managed to resist brute-force guessing through proper distribution, refresh, and protection.

prevent

Provides rate-based attack prevention and denial-of-service protections at network boundaries to limit the volume of crafted HTTP requests used in PIN brute-forcing.

References