CVE-2025-26361
Published: 12 February 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-26361 is a CWE-306 "Missing Authentication for Critical Function" vulnerability in the maxprofile/setup/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. It enables an unauthenticated remote attacker to perform a factory reset of the device by sending crafted HTTP requests to the affected endpoint. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), reflecting its critical severity due to high impacts on integrity and availability with no confidentiality impact.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By crafting and sending specific HTTP requests to the setup routes, the attacker achieves a full factory reset of the Q-Free MaxTime device, potentially disrupting operations, erasing configurations, and requiring manual reconfiguration.
For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26361.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables unauthenticated remote factory reset of the device, erasing configurations (data destruction, T1485) and causing denial of service through exploitation of the web application (T1499.004).