Cyber Resilience

CVE-2025-26378

High

Published: 12 February 2025

Published
12 February 2025
Modified
10 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 36.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26378 is a high-severity Missing Authorization (CWE-862) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-26378 is a CWE-862 missing authorization vulnerability in the maxprofile/users/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12T14:15:39.163, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue enables an authenticated low-privileged attacker to reset passwords, including those of administrator accounts, by sending crafted HTTP requests.

A low-privileged authenticated user can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows the attacker to reset passwords for any user account, including administrators, resulting in high impacts to confidentiality, integrity, and availability, such as potential full system compromise through privilege escalation.

Mitigation guidance is provided in the Nozomi Networks Labs vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26378.

EU & UK References

Vulnerability details

A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization in web management interface enables low-privileged authenticated attackers to reset admin passwords via crafted requests, facilitating exploitation of public-facing application (T1190), exploitation for privilege escalation (T1068), and account manipulation (T1098).

CVEs Like This One

CVE-2025-26368Same product: Q-Free Maxtime
CVE-2025-26377Same product: Q-Free Maxtime
CVE-2025-26370Same product: Q-Free Maxtime
CVE-2025-26369Same product: Q-Free Maxtime
CVE-2025-26372Same product: Q-Free Maxtime
CVE-2025-26371Same product: Q-Free Maxtime
CVE-2025-26375Same product: Q-Free Maxtime
CVE-2025-26345Same product: Q-Free Maxtime
CVE-2025-26359Same product: Q-Free Maxtime
CVE-2025-26347Same product: Q-Free Maxtime

Affected Assets

q-free
maxtime
≤ 2.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to system resources, directly mitigating the missing authorization in the password reset endpoint exploited by low-privileged users.

prevent

Restricts user privileges to the least necessary for tasks, preventing low-privileged authenticated users from performing administrative password resets.

prevent

Manages system accounts including password lifecycle processes, helping ensure only authorized users can initiate password resets for any accounts.

References