CVE-2025-26377
Published: 12 February 2025
Description
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Security Summary
CVE-2025-26377 is a CWE-862 Missing Authorization vulnerability in the maxprofile/users/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12T14:15:38.933, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H). The issue stems from inadequate authorization checks, enabling unauthorized user removal operations.
A low-privileged authenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By sending crafted HTTP requests to the affected endpoint, the attacker can delete arbitrary users, resulting in high integrity and availability impacts without affecting confidentiality.
Mitigation details are available in the advisory from Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26377.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization allows low-privileged authenticated attackers to delete users via crafted HTTP requests, enabling exploitation for privilege escalation (T1068), account manipulation (T1098), and account access removal (T1531) for disruption.