CVE-2025-26361
Published: 12 February 2025
Summary
CVE-2025-26361 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked in the top 20.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 directly mandates identification, authorization, and review of critical functions like factory reset that are permitted without authentication, preventing unauthenticated access to the vulnerable setup endpoint.
AC-3 enforces approved access control policies requiring authentication for logical access to system resources, blocking unauthenticated crafted HTTP requests to the factory reset function.
SI-2 requires timely identification, reporting, and correction of software flaws such as the missing authentication in maxprofile/setup/routes.lua, eliminating the vulnerability through patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote factory reset of the device, erasing configurations (data destruction, T1485) and causing denial of service through exploitation of the web application (T1499.004).
NVD Description
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26361 is a CWE-306 "Missing Authentication for Critical Function" vulnerability in the maxprofile/setup/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. It enables an unauthenticated remote attacker to perform a factory reset of the device by sending crafted HTTP requests to the affected endpoint. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), reflecting its critical severity due to high impacts on integrity and availability with no confidentiality impact.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By crafting and sending specific HTTP requests to the setup routes, the attacker achieves a full factory reset of the Q-Free MaxTime device, potentially disrupting operations, erasing configurations, and requiring manual reconfiguration.
For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26361.
Details
- CWE(s)