CVE-2025-26375
Published: 12 February 2025
Summary
CVE-2025-26375 is a high-severity Missing Authorization (CWE-862) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to system resources, directly addressing the missing authorization check allowing low-privileged users to create arbitrary privileged accounts.
Requires procedures for account management including approval and authorization prior to creation, preventing unauthorized user account provisioning via crafted requests.
Employs least privilege to restrict privileges assigned during user creation, mitigating the impact of privilege escalation through improper account setup.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization allows authenticated low-privileged attackers to create new local user accounts with arbitrary administrative privileges via crafted HTTP requests, enabling exploitation for privilege escalation (T1068) and local account creation (T1136/T1136.001).
NVD Description
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26375 is a CWE-862 Missing Authorization vulnerability in the maxprofile/users/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue stems from inadequate authorization checks, enabling improper user creation functionality.
A low-privileged authenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By sending crafted HTTP requests to the affected endpoint, the attacker can create new user accounts with arbitrary privileges, potentially escalating their access to administrative levels and compromising confidentiality, integrity, and availability of the system.
Mitigation details are available in the advisory published by Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26375.
Details
- CWE(s)