CVE-2025-26346
Published: 12 February 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-26346 is a SQL injection vulnerability classified under CWE-89, stemming from improper neutralization of special elements used in an SQL command. It affects Q-Free MaxTime in versions less than or equal to 2.11.0, specifically within the maxprofile/menu/model.lua component at the editUserGroupMenu endpoint. Published on 2025-02-12, the flaw enables an authenticated remote attacker to execute arbitrary SQL commands through crafted HTTP requests.
The vulnerability requires high privileges (PR:H) for exploitation over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). A successful attack can compromise data integrity (I:H) and cause limited availability impact (A:L), but does not affect confidentiality (C:N) or change the scope (S:U). The CVSS v3.1 base score reflects a moderate severity of 5.5.
Mitigation guidance is available in the Nozomi Networks vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26346.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection enables arbitrary SQL execution for database data collection/exfiltration (T1213.006), stored data modification/manipulation (T1565.001), and data destruction/deletion (T1485).