CVE-2025-26365
Published: 12 February 2025
Summary
CVE-2025-26365 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly identifies and precludes critical actions without identification or authentication, directly addressing the missing authentication for the front panel enablement function in routes.lua.
AC-3 enforces approved authorizations for access to system resources, preventing unauthenticated remote attackers from executing critical functions via crafted HTTP requests.
AC-6 applies least privilege to restrict the vulnerable endpoint to only authorized accesses necessary for tasks, mitigating unauthorized enabling of front panel authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authentication for a critical function in the public-facing web management interface (maxprofile/setup/routes.lua), enabling unauthenticated remote attackers to send crafted HTTP requests to enable front panel authentication and potentially lock out legitimate users, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26365 is a CWE-306 "Missing Authentication for Critical Function" vulnerability in the maxprofile/setup/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, it enables an unauthenticated remote attacker to enable front panel authentication through crafted HTTP requests. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), reflecting high integrity impact with no confidentiality or availability effects.
An unauthenticated attacker with network access to the affected system can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable routes.lua endpoint. Exploitation requires no privileges, user interaction, or special complexity, allowing remote compromise of the authentication mechanism for front panel access and potentially altering system integrity.
Mitigation details are available in the advisory from Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26365.
Details
- CWE(s)