CVE-2025-26359
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26359, published on 2025-02-12, is a critical vulnerability with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It manifests as a CWE-306 Missing Authentication for Critical Function in the maxprofile/accounts/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw allows an unauthenticated remote attacker to reset user PINs by sending crafted HTTP requests to the affected endpoint.
The vulnerability can be exploited by any unauthenticated attacker with network access to the Q-Free MaxTime instance, requiring low attack complexity and no privileges, user interaction, or special conditions. Exploitation enables the attacker to arbitrarily reset user PINs, which can facilitate account takeovers, unauthorized access to protected functions, and broader system compromise, resulting in high impacts across confidentiality, integrity, and availability.
For mitigation details, refer to the vulnerability advisory from Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26359.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authentication for PIN reset function in public-facing web application enables unauthenticated remote exploitation (T1190) and account manipulation via credential reset (T1098).