CVE-2025-26344
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26344 is a CWE-306 "Missing Authentication for Critical Function" vulnerability in the maxprofile/guest-mode/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, it enables an unauthenticated remote attacker to activate passwordless guest mode through crafted HTTP requests. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low complexity, and high potential impact on confidentiality, integrity, and availability.
An unauthenticated attacker with network access to the affected Q-Free MaxTime instance can exploit this vulnerability without privileges or user interaction by sending specially crafted HTTP requests to the vulnerable routes.lua endpoint. Exploitation results in enabling passwordless guest mode, which could allow unauthorized access to system functions and resources, aligning with the high CVSS impact ratings.
Mitigation details are available in the advisory from Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26344.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability (CWE-306 Missing Authentication for Critical Function) in the Q-Free MaxTime web application allows unauthenticated remote attackers to enable passwordless guest mode via crafted HTTP requests, enabling exploitation of a public-facing application for unauthorized access.