CVE-2025-26363
Published: 12 February 2025
Summary
CVE-2025-26363 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
The vulnerability is a missing authentication for a critical function (CWE-306) in the file maxprofile/setup/routes.lua of Q-Free MaxTime versions up to and including 2.11.0. It is tracked as CVE-2025-26363 with a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can send crafted HTTP requests to enable an authentication profile server, producing a high integrity impact while leaving confidentiality and availability unaffected.
The associated EPSS score rose from a low baseline to a peak of 0.0135, indicating that exploitation interest emerged after disclosure. A technical advisory describing the issue is published by Nozomi Networks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4175
Vulnerability details
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authentication for critical function in a public-facing management web application, allowing unauthenticated remote attackers to send crafted HTTP requests to enable an authentication profile server and potentially bypass authentication, directly enabling exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 identifies and reviews [system-defined] actions permitted without authentication, directly preventing unauthorized access to critical setup functions like routes.lua.
AC-3 enforces logical access authorizations in accordance with policy, mitigating the missing authentication check for enabling the authentication profile server.
SI-2 requires timely flaw remediation, directly addressing this CVE by patching the vulnerable maxprofile/setup/routes.lua in Q-Free MaxTime <= 2.11.0.