CVE-2025-26368
Published: 12 February 2025
Summary
CVE-2025-26368 is a high-severity Missing Authorization (CWE-862) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-26368, published on 2025-02-12, is a CWE-862 Missing Authorization vulnerability affecting the maxprofile/user-groups/routes.lua component in Q-Free MaxTime versions less than or equal to 2.11.0. The issue enables an authenticated low-privileged attacker to remove user groups through crafted HTTP requests, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
A low-privileged authenticated user can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted HTTP requests to the vulnerable endpoint, the attacker bypasses authorization controls, achieving high integrity and availability impacts through the unauthorized removal of user groups, potentially disrupting access management and system functionality.
Mitigation details are available in the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26368.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4180
Vulnerability details
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization allows low-privileged authenticated attackers to remove user groups via crafted HTTP requests, enabling exploitation for privilege escalation (T1068), account manipulation (T1098), and account access removal for impact (T1531).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly countering the missing authorization in the user-groups endpoint that permits low-privileged deletion of user groups.
AC-6 enforces least privilege, ensuring low-privileged users cannot perform high-impact actions like removing user groups without proper authorization.
AC-2 requires proper management and review of accounts and group memberships, helping prevent unauthorized modifications to user groups by low-privileged attackers.