CVE-2025-26342
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26342, published on 2025-02-12, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified as CWE-306, Missing Authentication for Critical Function. It affects the maxprofile/accounts/routes.lua component in Q-Free MaxTime versions less than or equal to 2.11.0. The issue enables unauthenticated remote attackers to create arbitrary users, including administrators, by sending crafted HTTP requests.
An unauthenticated remote attacker with network access can exploit this vulnerability without requiring privileges, user interaction, or special conditions due to its low attack complexity. Exploitation allows the creation of unauthorized accounts with elevated privileges, such as administrator roles, potentially compromising the entire system through unauthorized access, data manipulation, and disruption.
For details on mitigation, including any patches or workarounds, refer to the advisory from Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26342.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authentication in web application allows unauthenticated remote creation of arbitrary local administrator accounts, enabling T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation), and T1136.001 (Create Account: Local Account).