CVE-2025-26342

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Feb 12, 2025

CWE ID 306

Summary

CVE-2025-26342 is a vulnerability affecting Q-Free MaxTime versions 2.11.0 and below. This issue, classified as CWE-306 "Missing Authentication for Critical Function," allows unauthenticated attackers to create new users, including administrators, through crafted HTTP requests on the maxprofile/accounts/routes.lua file. Successful exploitation grants the attacker control over the system, posing a significant security risk. It is advised that affected organizations upgrade to the latest version of Q-Free MaxTime as soon as possible to mitigate the threat.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Q-Free Maxtime

Affected Vendors

Nozomi Networks

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/3Ih1cC
https://www.cve.org/CVERecord?id=CVE-2025-26342
https://nvd.nist.gov/vuln/detail/CVE-2025-26342

Back to Vulnerability Database