CVE-2025-26366
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26366 is a CWE-306 Missing Authentication for Critical Function vulnerability in the maxprofile/setup/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, it enables an unauthenticated remote attacker to disable front panel authentication by sending crafted HTTP requests to the affected endpoint. The issue carries a CVSS v3.1 base score of 7.5, reflecting network accessibility, low attack complexity, no privileges or user interaction required, unchanged scope, high integrity impact, and no confidentiality or availability impact.
Any unauthenticated attacker with network access to a vulnerable Q-Free MaxTime instance can exploit this flaw. By crafting and transmitting specific HTTP requests to the unprotected routes.lua endpoint, the attacker achieves disabling of front panel authentication, compromising the integrity of access controls on the device.
Mitigation guidance is available in the Nozomi Networks vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26366.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a missing authentication for a critical function in the exposed web management interface (maxprofile/setup/routes.lua), enabling unauthenticated remote attackers to send crafted HTTP requests to disable front panel authentication, which aligns with T1190: Exploit Public-Facing Application.