CVE-2025-26372
Published: 12 February 2025
Description
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Security Summary
CVE-2025-26372 is a CWE-862 missing authorization vulnerability in the maxprofile/user-groups/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, the issue has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L). It enables an authenticated low-privileged attacker to remove users from groups through crafted HTTP requests.
A low-privileged authenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows the attacker to remove arbitrary users from groups, leading to high integrity impact by unauthorized modification of access controls and low availability impact.
Mitigation details are available in the advisory from Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26372.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows exploitation of a public-facing web application (T1190) by low-privileged authenticated attackers to remove users from groups, enabling account access removal (T1531) and revocation of access rights.