CVE-2025-26361
Published: 12 February 2025
Summary
CVE-2025-26361 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-26361 is a missing authentication vulnerability (CWE-306) affecting the maxprofile/setup/routes.lua component in Q-Free MaxTime versions up to and including 2.11.0. The flaw permits unauthenticated remote access to a critical function that triggers a factory reset of the device when supplied with specially crafted HTTP requests. It carries a CVSS 3.1 base score of 9.1, reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker with network access can send the malicious requests to reset the target device, resulting in loss of integrity and availability without any prior authentication or configuration changes. The attack requires only the ability to reach the affected HTTP endpoints.
The public advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26361 provides further details on the issue and recommended mitigations. Exploitation probability remains low, with an EPSS score of 0.0125 and a recorded peak of 0.0212.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4173
Vulnerability details
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote factory reset of the device, erasing configurations (data destruction, T1485) and causing denial of service through exploitation of the web application (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 directly mandates identification, authorization, and review of critical functions like factory reset that are permitted without authentication, preventing unauthenticated access to the vulnerable setup endpoint.
AC-3 enforces approved access control policies requiring authentication for logical access to system resources, blocking unauthenticated crafted HTTP requests to the factory reset function.
SI-2 requires timely identification, reporting, and correction of software flaws such as the missing authentication in maxprofile/setup/routes.lua, eliminating the vulnerability through patching.