CVE-2025-26378
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26378 is a CWE-862 missing authorization vulnerability in the maxprofile/users/routes.lua component of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12T14:15:39.163, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue enables an authenticated low-privileged attacker to reset passwords, including those of administrator accounts, by sending crafted HTTP requests.
A low-privileged authenticated user can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows the attacker to reset passwords for any user account, including administrators, resulting in high impacts to confidentiality, integrity, and availability, such as potential full system compromise through privilege escalation.
Mitigation guidance is provided in the Nozomi Networks Labs vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26378.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization in web management interface enables low-privileged authenticated attackers to reset admin passwords via crafted requests, facilitating exploitation of public-facing application (T1190), exploitation for privilege escalation (T1068), and account manipulation (T1098).