CVE-2025-26378
Published: 12 February 2025
Summary
CVE-2025-26378 is a high-severity Missing Authorization (CWE-862) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to system resources, directly mitigating the missing authorization in the password reset endpoint exploited by low-privileged users.
Restricts user privileges to the least necessary for tasks, preventing low-privileged authenticated users from performing administrative password resets.
Manages system accounts including password lifecycle processes, helping ensure only authorized users can initiate password resets for any accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in web management interface enables low-privileged authenticated attackers to reset admin passwords via crafted requests, facilitating exploitation of public-facing application (T1190), exploitation for privilege escalation (T1068), and account manipulation (T1098).
NVD Description
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26378 is a CWE-862 missing authorization vulnerability in the maxprofile/users/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12T14:15:39.163, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue enables an authenticated low-privileged attacker to reset passwords, including those of administrator accounts, by sending crafted HTTP requests.
A low-privileged authenticated user can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows the attacker to reset passwords for any user account, including administrators, resulting in high impacts to confidentiality, integrity, and availability, such as potential full system compromise through privilege escalation.
Mitigation guidance is provided in the Nozomi Networks Labs vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26378.
Details
- CWE(s)