CVE-2025-26368
Published: 12 February 2025
Summary
CVE-2025-26368 is a high-severity Missing Authorization (CWE-862) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly countering the missing authorization in the user-groups endpoint that permits low-privileged deletion of user groups.
AC-6 enforces least privilege, ensuring low-privileged users cannot perform high-impact actions like removing user groups without proper authorization.
AC-2 requires proper management and review of accounts and group memberships, helping prevent unauthorized modifications to user groups by low-privileged attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization allows low-privileged authenticated attackers to remove user groups via crafted HTTP requests, enabling exploitation for privilege escalation (T1068), account manipulation (T1098), and account access removal for impact (T1531).
NVD Description
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26368, published on 2025-02-12, is a CWE-862 Missing Authorization vulnerability affecting the maxprofile/user-groups/routes.lua component in Q-Free MaxTime versions less than or equal to 2.11.0. The issue enables an authenticated low-privileged attacker to remove user groups through crafted HTTP requests, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
A low-privileged authenticated user can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted HTTP requests to the vulnerable endpoint, the attacker bypasses authorization controls, achieving high integrity and availability impacts through the unauthorized removal of user groups, potentially disrupting access management and system functionality.
Mitigation details are available in the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26368.
Details
- CWE(s)