CVE-2025-26345
Published: 12 February 2025
Summary
CVE-2025-26345 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 26.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
The vulnerability CVE-2025-26345 is a missing authentication for a critical function (CWE-306) in the maxprofile/menu/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. It is rated 9.8 on CVSS v3.1 with a network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can exploit the flaw by submitting crafted HTTP requests that directly invoke the unprotected function, enabling arbitrary edits to user group permissions and resulting in full compromise of confidentiality, integrity, and availability on the target system.
The referenced Nozomi Networks advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26345 supplies additional technical context on the issue. The associated EPSS values remain low, with a current score of 0.0075 and a peak of 0.0123.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4157
Vulnerability details
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote access to edit user group permissions via public-facing web app enables exploitation for privilege escalation (T1068, T1190) and direct account/group manipulation (T1098, T1098.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 explicitly identifies and restricts critical functions like user group permission editing to those requiring authentication, directly preventing unauthenticated access to such capabilities.
AC-3 enforces approved authorizations for access to system resources, addressing the lack of enforcement that allowed unauthenticated editing of user group permissions.
AC-6 limits privileges to the minimum necessary, mitigating the impact of unauthorized permission modifications by ensuring affected groups have restricted access.