CVE-2025-26343
Published: 12 February 2025
Description
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Security Summary
CVE-2025-26343 is a CWE-1390 "Weak Authentication" vulnerability in the PIN authentication mechanism of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables an unauthenticated remote attacker to brute-force user PINs by sending multiple crafted HTTP requests, undermining the security of the authentication process. The vulnerability received a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its high impact on confidentiality, integrity, and availability despite requiring high attack complexity.
An unauthenticated attacker with network access to the affected Q-Free MaxTime instance can exploit this vulnerability by repeatedly submitting crafted HTTP requests to guess user PINs. Successful brute-forcing grants unauthorized access to authenticated user sessions or resources protected by the PIN mechanism, potentially allowing full compromise of the system with high confidentiality, integrity, and availability impacts.
For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26343. The vulnerability was publicly disclosed on 2025-02-12.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables unauthenticated remote brute-force attacks on user PINs via HTTP requests, directly facilitating Password Guessing (T1110.001).