CVE-2025-26363
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26363 is a CWE-306 missing authentication vulnerability in the maxprofile/setup/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, it enables an unauthenticated remote attacker to activate an authentication profile server by sending crafted HTTP requests to the affected endpoint, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
An unauthenticated attacker with network access to the vulnerable Q-Free MaxTime instance can exploit this flaw with low complexity and no user interaction required. Exploitation involves crafting and transmitting specific HTTP requests to the routes.lua handler, resulting in the unauthorized enabling of an authentication profile server. This leads to high integrity impact, potentially allowing attackers to manipulate authentication mechanisms without compromising confidentiality or availability.
Mitigation guidance and additional details are provided in the Nozomi Networks vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26363.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a missing authentication for critical function in a public-facing management web application, allowing unauthenticated remote attackers to send crafted HTTP requests to enable an authentication profile server and potentially bypass authentication, directly enabling exploitation of public-facing applications.