CVE-2025-26347
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26347 is a CWE-306 "Missing Authentication for Critical Function" vulnerability in the maxprofile/menu/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables an unauthenticated remote attacker to edit user permissions through crafted HTTP requests, as the affected endpoint lacks proper authentication checks. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical severity due to high impacts on confidentiality, integrity, and availability.
Any unauthenticated attacker with network access to the vulnerable Q-Free MaxTime instance can exploit this issue by sending specially crafted HTTP requests to the maxprofile/menu/routes.lua endpoint. Successful exploitation allows arbitrary modification of user permissions, potentially enabling privilege escalation, unauthorized access to sensitive functions, or full administrative control over the system, depending on the target's configuration.
Mitigation details and additional technical information are available in the advisory published by Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26347. The vulnerability was publicly disclosed on 2025-02-12.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables unauthenticated remote editing of user permissions (T1098: Account Manipulation) via a public-facing web application (T1190: Exploit Public-Facing Application).