CVE-2025-26365
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26365 is a CWE-306 "Missing Authentication for Critical Function" vulnerability in the maxprofile/setup/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, it enables an unauthenticated remote attacker to enable front panel authentication through crafted HTTP requests. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), reflecting high integrity impact with no confidentiality or availability effects.
An unauthenticated attacker with network access to the affected system can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable routes.lua endpoint. Exploitation requires no privileges, user interaction, or special complexity, allowing remote compromise of the authentication mechanism for front panel access and potentially altering system integrity.
Mitigation details are available in the advisory from Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26365.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a missing authentication for a critical function in the public-facing web management interface (maxprofile/setup/routes.lua), enabling unauthenticated remote attackers to send crafted HTTP requests to enable front panel authentication and potentially lock out legitimate users, directly facilitating T1190: Exploit Public-Facing Application.