CVE-2025-26369
Published: 12 February 2025
Description
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.
Security Summary
CVE-2025-26369 is a CWE-862 "Missing Authorization" vulnerability in the maxprofile/user-groups/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw enables unauthorized modifications to user group privileges through crafted HTTP requests, bypassing intended access controls. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
An authenticated attacker with low privileges can exploit this issue remotely over the network with low complexity and no user interaction required. By sending specially crafted HTTP requests to the affected endpoint, the attacker can elevate privileges within user groups, potentially granting themselves or others administrative access and enabling further compromise of the system.
For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26369, which was released alongside the CVE on 2025-02-12.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows an authenticated low-privileged attacker to add privileges to user groups via crafted HTTP requests, enabling exploitation for privilege escalation (T1068) and account manipulation by adding privileges to local groups (T1098.007).