CVE-2025-26369

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Feb 12, 2025

Updated: Mar 3, 2025

CWE ID 862

Summary

CVE-2025-26369 is a vulnerability affecting Q-Free MaxTime versions 2.11.0 and below. This issue, classified as CWE-862 "Missing Authorization," enables authenticated, low-privileged attackers to add privileges to user groups through crafted HTTP requests. By exploiting this missing authorization in maxprofile/user-groups/routes.lua, attackers can extend their access, potentially leading to significant security consequences.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Q-Free Maxtime

Affected Vendors

Nozomi Networks

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/3Ih2NR
https://www.cve.org/CVERecord?id=CVE-2025-26369
https://nvd.nist.gov/vuln/detail/CVE-2025-26369

Back to Vulnerability Database