CVE-2025-26377
Published: 12 February 2025
Summary
CVE-2025-26377 is a high-severity Missing Authorization (CWE-862) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates enforcement of approved authorizations for access to system resources, addressing the missing authorization check that enables low-privileged users to delete arbitrary users.
Enforces least privilege to ensure low-privileged users lack permissions for destructive actions like user deletion, limiting exploitability even if enforcement is incomplete.
Requires system access decisions based on valid authorizations, mitigating the inadequate checks in the user deletion endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization allows low-privileged authenticated attackers to delete users via crafted HTTP requests, enabling exploitation for privilege escalation (T1068), account manipulation (T1098), and account access removal (T1531) for disruption.
NVD Description
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26377 is a CWE-862 Missing Authorization vulnerability in the maxprofile/users/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12T14:15:38.933, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H). The issue stems from inadequate authorization checks, enabling unauthorized user removal operations.
A low-privileged authenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By sending crafted HTTP requests to the affected endpoint, the attacker can delete arbitrary users, resulting in high integrity and availability impacts without affecting confidentiality.
Mitigation details are available in the advisory from Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26377.
Details
- CWE(s)