Cyber Resilience

CVE-2025-26361

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
28 October 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0125 79.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26361 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-26361 is a missing authentication vulnerability (CWE-306) affecting the maxprofile/setup/routes.lua component in Q-Free MaxTime versions up to and including 2.11.0. The flaw permits unauthenticated remote access to a critical function that triggers a factory reset of the device when supplied with specially crafted HTTP requests. It carries a CVSS 3.1 base score of 9.1, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker with network access can send the malicious requests to reset the target device, resulting in loss of integrity and availability without any prior authentication or configuration changes. The attack requires only the ability to reach the affected HTTP endpoints.

The public advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26361 provides further details on the issue and recommended mitigations. Exploitation probability remains low, with an EPSS score of 0.0125 and a recorded peak of 0.0212.

EU & UK References

Vulnerability details

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables unauthenticated remote factory reset of the device, erasing configurations (data destruction, T1485) and causing denial of service through exploitation of the web application (T1499.004).

CVEs Like This One

CVE-2025-26339Same product: Q-Free Maxtime
CVE-2025-26359Same product: Q-Free Maxtime
CVE-2025-26364Same product: Q-Free Maxtime
CVE-2025-26341Same product: Q-Free Maxtime
CVE-2025-26362Same product: Q-Free Maxtime
CVE-2025-26345Same product: Q-Free Maxtime
CVE-2025-26363Same product: Q-Free Maxtime
CVE-2025-26342Same product: Q-Free Maxtime
CVE-2025-26347Same product: Q-Free Maxtime
CVE-2025-26344Same product: Q-Free Maxtime

Affected Assets

q-free
maxtime
≤ 2.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 directly mandates identification, authorization, and review of critical functions like factory reset that are permitted without authentication, preventing unauthenticated access to the vulnerable setup endpoint.

prevent

AC-3 enforces approved access control policies requiring authentication for logical access to system resources, blocking unauthenticated crafted HTTP requests to the factory reset function.

prevent

SI-2 requires timely identification, reporting, and correction of software flaws such as the missing authentication in maxprofile/setup/routes.lua, eliminating the vulnerability through patching.

References