CVE-2025-26371
Published: 12 February 2025
Description
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.
Security Summary
CVE-2025-26371, published on 2025-02-12, is a CWE-862 Missing Authorization vulnerability in the maxprofile/user-groups/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. The flaw enables an authenticated low-privileged attacker to add users to groups through crafted HTTP requests, bypassing proper authorization checks.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and the need for low privileges without user interaction or scope changes. A low-privileged authenticated attacker can exploit it remotely to manipulate user group memberships, potentially achieving privilege escalation by elevating other users' access levels and impacting confidentiality, integrity, and availability with high severity.
Mitigation details are available in the advisory from Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26371.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The missing authorization vulnerability enables low-privileged authenticated attackers to add users to groups via crafted HTTP requests, directly facilitating exploitation for privilege escalation (T1068) and account manipulation by adding to additional local or domain groups (T1098.007).