CVE-2025-26370
Published: 12 February 2025
Description
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Security Summary
CVE-2025-26370 is a CWE-862 Missing Authorization vulnerability in the maxprofile/user-groups/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. It enables an authenticated low-privileged attacker to remove privileges from user groups through crafted HTTP requests. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L, indicating network accessibility, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and low availability impact.
An authenticated attacker with low privileges can exploit this vulnerability remotely by sending specially crafted HTTP requests to the affected endpoint. Successful exploitation allows the attacker to strip privileges from user groups, potentially escalating control over the system by demoting other users or groups, disrupting access controls, and enabling further unauthorized actions within the MaxTime environment.
For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26370.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization allows low-privileged authenticated attackers to remove privileges from user groups via crafted HTTP requests to the exposed web management interface, enabling exploitation for privilege escalation (T1068, T1210), account manipulation (T1098), and account access removal (T1531).