CVE-2025-26368
Published: 12 February 2025
Description
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Security Summary
CVE-2025-26368, published on 2025-02-12, is a CWE-862 Missing Authorization vulnerability affecting the maxprofile/user-groups/routes.lua component in Q-Free MaxTime versions less than or equal to 2.11.0. The issue enables an authenticated low-privileged attacker to remove user groups through crafted HTTP requests, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
A low-privileged authenticated user can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted HTTP requests to the vulnerable endpoint, the attacker bypasses authorization controls, achieving high integrity and availability impacts through the unauthorized removal of user groups, potentially disrupting access management and system functionality.
Mitigation details are available in the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26368.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization allows low-privileged authenticated attackers to remove user groups via crafted HTTP requests, enabling exploitation for privilege escalation (T1068), account manipulation (T1098), and account access removal for impact (T1531).