Cyber Resilience

CVE-2025-26366

High

Published: 12 February 2025

Published
12 February 2025
Modified
28 October 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0057 69.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26366 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

Q-Free MaxTime versions less than or equal to 2.11.0 are affected by CVE-2025-26366, a CWE-306 missing authentication for critical function vulnerability located in maxprofile/setup/routes.lua. The flaw allows interaction with an authentication-related endpoint without any credentials, carrying a CVSS 3.1 score of 7.5 that reflects network attack vector, low complexity, and high integrity impact.

An unauthenticated remote attacker can send crafted HTTP requests to disable front panel authentication on the device. Successful exploitation grants the ability to bypass local access controls, after which further actions on the system become possible without the usual authentication step.

The EPSS score rose from a low baseline to a recorded peak of 0.0135, signaling increased exploitation interest after public disclosure. Additional technical details and context are provided in the Nozomi Networks advisory referenced for this CVE.

EU & UK References

Vulnerability details

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a missing authentication for a critical function in the exposed web management interface (maxprofile/setup/routes.lua), enabling unauthenticated remote attackers to send crafted HTTP requests to disable front panel authentication, which aligns with T1190: Exploit Public-Facing Application.

CVEs Like This One

CVE-2025-26362Same product: Q-Free Maxtime
CVE-2025-26363Same product: Q-Free Maxtime
CVE-2025-26344Same product: Q-Free Maxtime
CVE-2025-26365Same product: Q-Free Maxtime
CVE-2025-26359Same product: Q-Free Maxtime
CVE-2025-26339Same product: Q-Free Maxtime
CVE-2025-26347Same product: Q-Free Maxtime
CVE-2025-26364Same product: Q-Free Maxtime
CVE-2025-26341Same product: Q-Free Maxtime
CVE-2025-26342Same product: Q-Free Maxtime

Affected Assets

q-free
maxtime
≤ 2.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates missing authentication for the critical function by requiring definition and enforcement of limitations on permitted actions without identification or authentication, preventing unauthenticated disabling of front panel authentication.

prevent

Enforces approved authorizations for logical access to the system, blocking unauthenticated crafted HTTP requests to the vulnerable maxprofile/setup/routes.lua endpoint.

preventdetect

Monitors and controls communications at external boundaries, restricting network access to the unauthenticated critical function endpoint and detecting exploitation attempts.

References