CVE-2025-26369
Published: 12 February 2025
Summary
CVE-2025-26369 is a high-severity Missing Authorization (CWE-862) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Deeper analysis
CVE-2025-26369 is a CWE-862 "Missing Authorization" vulnerability in the maxprofile/user-groups/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables unauthorized modifications to user group privileges through crafted HTTP requests, bypassing intended access controls. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
An authenticated attacker with low privileges can exploit this issue remotely over the network with low complexity and no user interaction required. By sending specially crafted HTTP requests to the affected endpoint, the attacker can elevate privileges within user groups, potentially granting themselves or others administrative access and enabling further compromise of the system.
For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26369, which was released alongside the CVE on 2025-02-12.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4181
Vulnerability details
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows an authenticated low-privileged attacker to add privileges to user groups via crafted HTTP requests, enabling exploitation for privilege escalation (T1068) and account manipulation by adding privileges to local groups (T1098.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates enforcement of approved authorizations for access to system resources, addressing the missing authorization check that allows low-privileged users to modify user group privileges.
Enforces the principle of least privilege to restrict low-privileged users from performing privilege modifications on user groups.
Requires proper management of accounts and group memberships to prevent unauthorized privilege escalations via crafted requests.