CVE-2025-26366
Published: 12 February 2025
Summary
CVE-2025-26366 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Q-Free Maxtime. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
Q-Free MaxTime versions less than or equal to 2.11.0 are affected by CVE-2025-26366, a CWE-306 missing authentication for critical function vulnerability located in maxprofile/setup/routes.lua. The flaw allows interaction with an authentication-related endpoint without any credentials, carrying a CVSS 3.1 score of 7.5 that reflects network attack vector, low complexity, and high integrity impact.
An unauthenticated remote attacker can send crafted HTTP requests to disable front panel authentication on the device. Successful exploitation grants the ability to bypass local access controls, after which further actions on the system become possible without the usual authentication step.
The EPSS score rose from a low baseline to a recorded peak of 0.0135, signaling increased exploitation interest after public disclosure. Additional technical details and context are provided in the Nozomi Networks advisory referenced for this CVE.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4178
Vulnerability details
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authentication for a critical function in the exposed web management interface (maxprofile/setup/routes.lua), enabling unauthenticated remote attackers to send crafted HTTP requests to disable front panel authentication, which aligns with T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates missing authentication for the critical function by requiring definition and enforcement of limitations on permitted actions without identification or authentication, preventing unauthenticated disabling of front panel authentication.
Enforces approved authorizations for logical access to the system, blocking unauthenticated crafted HTTP requests to the vulnerable maxprofile/setup/routes.lua endpoint.
Monitors and controls communications at external boundaries, restricting network access to the unauthenticated critical function endpoint and detecting exploitation attempts.