CVE-2025-26363
Published: 12 February 2025
Summary
CVE-2025-26363 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 identifies and reviews [system-defined] actions permitted without authentication, directly preventing unauthorized access to critical setup functions like routes.lua.
AC-3 enforces logical access authorizations in accordance with policy, mitigating the missing authentication check for enabling the authentication profile server.
SI-2 requires timely flaw remediation, directly addressing this CVE by patching the vulnerable maxprofile/setup/routes.lua in Q-Free MaxTime <= 2.11.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authentication for critical function in a public-facing management web application, allowing unauthenticated remote attackers to send crafted HTTP requests to enable an authentication profile server and potentially bypass authentication, directly enabling exploitation of public-facing applications.
NVD Description
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26363 is a CWE-306 missing authentication vulnerability in the maxprofile/setup/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, it enables an unauthenticated remote attacker to activate an authentication profile server by sending crafted HTTP requests to the affected endpoint, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
An unauthenticated attacker with network access to the vulnerable Q-Free MaxTime instance can exploit this flaw with low complexity and no user interaction required. Exploitation involves crafting and transmitting specific HTTP requests to the routes.lua handler, resulting in the unauthorized enabling of an authentication profile server. This leads to high integrity impact, potentially allowing attackers to manipulate authentication mechanisms without compromising confidentiality or availability.
Mitigation guidance and additional details are provided in the Nozomi Networks vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26363.
Details
- CWE(s)