CVE-2025-26367

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Published Feb 12, 2025

Updated: Mar 3, 2025

CWE ID 862

Summary

CVE-2025-26367 is a vulnerability affecting Q-Free MaxTime versions 2.11.0 and below. It is classified as a CWE-862 "Missing Authorization" issue. An attacker with low-privileged access can exploit this flaw by making crafted HTTP requests to the maxprofile/user-groups/routes.lua file in the system. Successful exploitation enables the creation of arbitrary user groups, potentially compromising the security of the affected system.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Q-Free Maxtime

Affected Vendors

Nozomi Networks

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/3Ig4WP
https://www.cve.org/CVERecord?id=CVE-2025-26367
https://nvd.nist.gov/vuln/detail/CVE-2025-26367

Back to Vulnerability Database