CVE-2025-26371
Published: 12 February 2025
Summary
CVE-2025-26371 is a high-severity Missing Authorization (CWE-862) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly addressing the missing authorization check that allows low-privileged attackers to add users to groups.
Employs least privilege to restrict low-privileged users from performing administrative group membership changes, limiting the impact of bypassed authorization.
Manages accounts including group memberships to ensure only authorized conditions allow modifications, mitigating improper user-group manipulations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The missing authorization vulnerability enables low-privileged authenticated attackers to add users to groups via crafted HTTP requests, directly facilitating exploitation for privilege escalation (T1068) and account manipulation by adding to additional local or domain groups (T1098.007).
NVD Description
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26371, published on 2025-02-12, is a CWE-862 Missing Authorization vulnerability in the maxprofile/user-groups/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. The flaw enables an authenticated low-privileged attacker to add users to groups through crafted HTTP requests, bypassing proper authorization checks.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and the need for low privileges without user interaction or scope changes. A low-privileged authenticated attacker can exploit it remotely to manipulate user group memberships, potentially achieving privilege escalation by elevating other users' access levels and impacting confidentiality, integrity, and availability with high severity.
Mitigation details are available in the advisory from Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26371.
Details
- CWE(s)