CVE-2025-26366
Published: 12 February 2025
Summary
CVE-2025-26366 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates missing authentication for the critical function by requiring definition and enforcement of limitations on permitted actions without identification or authentication, preventing unauthenticated disabling of front panel authentication.
Enforces approved authorizations for logical access to the system, blocking unauthenticated crafted HTTP requests to the vulnerable maxprofile/setup/routes.lua endpoint.
Monitors and controls communications at external boundaries, restricting network access to the unauthenticated critical function endpoint and detecting exploitation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authentication for a critical function in the exposed web management interface (maxprofile/setup/routes.lua), enabling unauthenticated remote attackers to send crafted HTTP requests to disable front panel authentication, which aligns with T1190: Exploit Public-Facing Application.
NVD Description
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26366 is a CWE-306 Missing Authentication for Critical Function vulnerability in the maxprofile/setup/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, it enables an unauthenticated remote attacker to disable front panel authentication by sending crafted HTTP requests to the affected endpoint. The issue carries a CVSS v3.1 base score of 7.5, reflecting network accessibility, low attack complexity, no privileges or user interaction required, unchanged scope, high integrity impact, and no confidentiality or availability impact.
Any unauthenticated attacker with network access to a vulnerable Q-Free MaxTime instance can exploit this flaw. By crafting and transmitting specific HTTP requests to the unprotected routes.lua endpoint, the attacker achieves disabling of front panel authentication, compromising the integrity of access controls on the device.
Mitigation guidance is available in the Nozomi Networks vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26366.
Details
- CWE(s)