CVE-2025-26362
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26362 is a CWE-306 Missing Authentication for Critical Function vulnerability in the maxprofile/setup/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, it enables an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), highlighting its network accessibility, low complexity, and high integrity impact without affecting confidentiality or availability.
Any unauthenticated attacker with network access to the vulnerable Q-Free MaxTime instance can exploit this flaw by sending crafted HTTP requests to the affected setup routes. Successful exploitation allows the attacker to redirect the authentication profile server to an arbitrary endpoint under their control, potentially enabling manipulation of authentication flows and compromising the integrity of user verification processes.
Mitigation guidance is available in the Nozomi Networks vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26362.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authentication in the web management interface (maxprofile/setup/routes.lua) allows unauthenticated remote attackers to modify the authentication profile server via crafted HTTP requests, enabling exploitation of a public-facing application.