CVE-2025-26364

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Feb 12, 2025

CWE ID 306

Summary

CVE-2025-26364 is a vulnerability classified as CWE-306 "Missing Authentication for Critical Function". In affected versions of Q-Free MaxTime (less than or equal to 2.11.0), an unauthenticated attacker can manipulate HTTP requests to disable an authentication profile server in the maxprofile/setup/routes.lua file. This vulnerability could potentially allow unauthorized access to protected resources or services. Successful exploitation may require a certain level of technical expertise, but it poses a significant risk to organizations that have not applied the necessary patches. It is strongly recommended that users upgrade to the latest version of Q-Free MaxTime to mitigate this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

Q-Free Maxtime

Affected Vendors

Nozomi Networks

Advisories, Assessments, and Mitigations

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT

Predator Still Active, with New Client and Corporate Links Identified

Russia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word Documents

Know What Matters

For Customers

For Partners