See Recorded Future’s Threat Intelligence Solutions in Action

See our Threat Intelligence Solutions in Action

Reduce risk and mitigate cyber attacks, no matter your IT & security stack, maturity journey, or industry

Book a free demo

View Solutions to Reduce Risk

See Recorded Future’s Intelligence in Action

Reduce operational risk through timely, precise, and actionable intelligence.

Book a free demo

Intelligence Cloud Overview

View Services & Support Overview

View Research Overview

CVE-2025-26344

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Feb 12, 2025

Updated: Feb 18, 2025

CWE ID 306

Summary

CVE-2025-26344 is a vulnerability affecting Q-Free MaxTime versions 2.11.0 and below. It is classified as a CWE-306 "Missing Authentication for Critical Function" issue. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests to the maxprofile/guest-mode/routes.lua file in the application. Successful exploitation enables passwordless guest mode, posing a significant security risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Q-Free Maxtime

Affected Vendors

Nozomi Networks

Advisories, Assessments, and Mitigations

Back to Vulnerability Database