Cyber Posture

CVE-2025-26364

High

Published: 12 February 2025

Published
12 February 2025
Modified
28 October 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0057 68.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may disable, degrade, or tamper with security tools or applications (e.

Security Summary

CVE-2025-26364 is a CWE-306 "Missing Authentication for Critical Function" vulnerability in the maxprofile/setup/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. It enables an unauthenticated remote attacker to disable an authentication profile server by sending crafted HTTP requests, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Any unauthenticated attacker with network access to the vulnerable Q-Free MaxTime instance can exploit this flaw without requiring privileges, user interaction, or special conditions. Exploitation disrupts the authentication profile server, resulting in high integrity impact by potentially bypassing or disabling authentication mechanisms.

The Nozomi Networks vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26364 provides additional details on this issue.

Details

CWE(s)
CWE-306

Affected Products

q-free
maxtime
≤ 2.11.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1489 Service Stop Impact
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
attack.mitre.org →
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
attack.mitre.org →
Why these techniques?

The vulnerability (CWE-306) in a public-facing management web application allows unauthenticated remote attackers to disable an authentication profile server via crafted HTTP requests, enabling exploitation of public-facing applications (T1190), service stop (T1489), and impairing defenses by disabling security tools (T1562.001).

References