CVE-2025-26375
Published: 12 February 2025
Description
Adversaries may create a local account to maintain access to victim systems.
Security Summary
CVE-2025-26375 is a CWE-862 Missing Authorization vulnerability in the maxprofile/users/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue stems from inadequate authorization checks, enabling improper user creation functionality.
A low-privileged authenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By sending crafted HTTP requests to the affected endpoint, the attacker can create new user accounts with arbitrary privileges, potentially escalating their access to administrative levels and compromising confidentiality, integrity, and availability of the system.
Mitigation details are available in the advisory published by Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26375.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization allows authenticated low-privileged attackers to create new local user accounts with arbitrary administrative privileges via crafted HTTP requests, enabling exploitation for privilege escalation (T1068) and local account creation (T1136/T1136.001).