CVE-2025-26345
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26345 is a CWE-306 "Missing Authentication for Critical Function" vulnerability affecting the maxprofile/menu/routes.lua component in Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables an unauthenticated remote attacker to edit user group permissions through crafted HTTP requests. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for high confidentiality, integrity, and availability impacts.
An unauthenticated attacker with network access to the affected Q-Free MaxTime instance can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable endpoint. Successful exploitation allows modification of user group permissions, potentially granting elevated privileges, enabling further compromise of the system, data exfiltration, or disruption of services without requiring prior authentication or user interaction.
Nozomi Networks has published a vulnerability advisory detailing CVE-2025-26345 at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26345, which security practitioners should consult for mitigation guidance and patch information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote access to edit user group permissions via public-facing web app enables exploitation for privilege escalation (T1068, T1190) and direct account/group manipulation (T1098, T1098.007).