CVE-2025-26369
Published: 12 February 2025
Summary
CVE-2025-26369 is a high-severity Missing Authorization (CWE-862) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates enforcement of approved authorizations for access to system resources, addressing the missing authorization check that allows low-privileged users to modify user group privileges.
Enforces the principle of least privilege to restrict low-privileged users from performing privilege modifications on user groups.
Requires proper management of accounts and group memberships to prevent unauthorized privilege escalations via crafted requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows an authenticated low-privileged attacker to add privileges to user groups via crafted HTTP requests, enabling exploitation for privilege escalation (T1068) and account manipulation by adding privileges to local groups (T1098.007).
NVD Description
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26369 is a CWE-862 "Missing Authorization" vulnerability in the maxprofile/user-groups/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables unauthorized modifications to user group privileges through crafted HTTP requests, bypassing intended access controls. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
An authenticated attacker with low privileges can exploit this issue remotely over the network with low complexity and no user interaction required. By sending specially crafted HTTP requests to the affected endpoint, the attacker can elevate privileges within user groups, potentially granting themselves or others administrative access and enabling further compromise of the system.
For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26369, which was released alongside the CVE on 2025-02-12.
Details
- CWE(s)