CVE-2025-26371
Published: 12 February 2025
Summary
CVE-2025-26371 is a high-severity Missing Authorization (CWE-862) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Deeper analysis
CVE-2025-26371, published on 2025-02-12, is a CWE-862 Missing Authorization vulnerability in the maxprofile/user-groups/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. The flaw enables an authenticated low-privileged attacker to add users to groups through crafted HTTP requests, bypassing proper authorization checks.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and the need for low privileges without user interaction or scope changes. A low-privileged authenticated attacker can exploit it remotely to manipulate user group memberships, potentially achieving privilege escalation by elevating other users' access levels and impacting confidentiality, integrity, and availability with high severity.
Mitigation details are available in the advisory from Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26371.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4183
Vulnerability details
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The missing authorization vulnerability enables low-privileged authenticated attackers to add users to groups via crafted HTTP requests, directly facilitating exploitation for privilege escalation (T1068) and account manipulation by adding to additional local or domain groups (T1098.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access, directly addressing the missing authorization check that allows low-privileged attackers to add users to groups.
Employs least privilege to restrict low-privileged users from performing administrative group membership changes, limiting the impact of bypassed authorization.
Manages accounts including group memberships to ensure only authorized conditions allow modifications, mitigating improper user-group manipulations.