CVE-2025-26345

Critical

Published: 12 February 2025

Published

12 February 2025

Modified

24 October 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0075 73.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26345 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 26.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 explicitly identifies and restricts critical functions like user group permission editing to those requiring authentication, directly preventing unauthenticated access to such capabilities.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to system resources, addressing the lack of enforcement that allowed unauthenticated editing of user group permissions.

AC-6 Least Privilege partial match

prevent

AC-6 limits privileges to the minimum necessary, mitigating the impact of unauthorized permission modifications by ensuring affected groups have restricted access.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1098.007 Additional Local or Domain Groups Persistence

An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote access to edit user group permissions via public-facing web app enables exploitation for privilege escalation (T1068, T1190) and direct account/group manipulation (T1098, T1098.007).

NVD Description

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.

Deeper analysisAI

CVE-2025-26345 is a CWE-306 "Missing Authentication for Critical Function" vulnerability affecting the maxprofile/menu/routes.lua component in Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables an unauthenticated remote attacker to edit user group permissions through crafted HTTP requests. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for high confidentiality, integrity, and availability impacts.

An unauthenticated attacker with network access to the affected Q-Free MaxTime instance can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable endpoint. Successful exploitation allows modification of user group permissions, potentially granting elevated privileges, enabling further compromise of the system, data exfiltration, or disruption of services without requiring prior authentication or user interaction.

Nozomi Networks has published a vulnerability advisory detailing CVE-2025-26345 at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26345, which security practitioners should consult for mitigation guidance and patch information.

Details

CWE(s): CWE-306

Affected Products

q-free

maxtime

≤ 2.11.0

CVEs Like This One

CVE-2025-26359Same product: Q-Free Maxtime

CVE-2025-26347Same product: Q-Free Maxtime

CVE-2025-26342Same product: Q-Free Maxtime

CVE-2025-26341Same product: Q-Free Maxtime

CVE-2025-26366Same product: Q-Free Maxtime

CVE-2025-26344Same product: Q-Free Maxtime

CVE-2025-26362Same product: Q-Free Maxtime

CVE-2025-26365Same product: Q-Free Maxtime

CVE-2025-26363Same product: Q-Free Maxtime

CVE-2025-26339Same product: Q-Free Maxtime

References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26345
Third Party Advisory · prodsec@nozominetworks.com