CVE-2025-26341
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26341, published on 2025-02-12, is a critical vulnerability with a CVSS v3.1 base score of 9.8, classified under CWE-306 (Missing Authentication for Critical Function). It affects Q-Free MaxTime versions less than or equal to 2.11.0, specifically in the maxprofile/accounts/routes.lua component. The flaw allows an unauthenticated remote attacker to reset arbitrary user passwords by sending crafted HTTP requests, bypassing any authentication checks for this sensitive operation.
The attack scenario targets systems exposed to the network, requiring no privileges, user interaction, or special conditions (AV:N/AC:L/PR:N/UI:N/S:U). An unauthenticated remote attacker can exploit this to reset passwords for any user account, leading to high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H). This could enable full account takeover, privilege escalation, or broader system compromise depending on the targeted accounts.
Mitigation details are available in the advisory published by Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26341.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated password reset vulnerability in a exposed management web app enables exploitation of public-facing application (T1190), direct account manipulation via password changes (T1098), and obtaining valid accounts for further access (T1078).