CVE-2025-26339
Published: 12 February 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-26339, published on 2025-02-12, is a critical vulnerability with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It manifests as a CWE-306 Missing Authentication for Critical Function in the maxtime/handleRoute.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables unauthenticated remote attackers to compromise the device's confidentiality, integrity, or availability in multiple unspecified ways by sending crafted HTTP requests.
The attack scenario targets systems exposed to the network running the affected Q-Free MaxTime software. Unauthenticated remote attackers require no privileges, user interaction, or special conditions beyond network access and low attack complexity. Exploitation can achieve high impacts across confidentiality, integrity, and availability, potentially allowing full device compromise through the unprotected critical function.
Mitigation details are outlined in the advisory published by Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26339. No specific patch or workaround information is detailed in the CVE description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authentication in the public-facing web management application (handleRoute.lua) enables unauthenticated remote exploitation for initial access (T1190: Exploit Public-Facing Application) and facilitates denial of service via crafted HTTP requests (T1499.004: Application or System Exploitation), with potential for configuration changes impacting confidentiality, integrity, and availability.