CRITICAL🇵🇱 Wersja polska

CVE-2025-26341

CVSS 9.8v3.1pub. 2025-02-12upd. 2025-10-24

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests.

🤖 AI Analysis
How it works

The maxprofile/accounts/routes.lua file lacks an authentication mechanism for a critical function (CWE-306), meaning the endpoint responsible for password reset is accessible without any authorization. An attacker can send appropriately crafted HTTP requests to the vulnerable endpoint and force a password change for a selected user account. This grants full control over any account in the system.

Impact

An attacker can take control of any user account in the system, including administrative accounts, leading to complete compromise of data confidentiality, integrity, and availability as well as system functionality.

Mitigation & patch

Patches available from the vendor should be applied in accordance with references. Detailed information is available in the Nozomi Networks advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26341. Until the update is deployed, it is recommended to restrict network access to the Q-Free MaxTime system management interface exclusively to trusted IP addresses.

Who is affected

Q-Free MaxTime version 2.11.0 and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Q Free Maxtime

    APP
    Q-Free
    ≤ 2.11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-26344CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: brak uwierzytelnienia umożliwia włączenie trybu gościa bez hasła

CVE-2025-26342CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: tworzenie kont bez uwierzytelnienia (w tym kont admina)

CVE-2025-26339CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia dla krytycznej funkcji w Q-Free MaxTime

CVE-2025-1100CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: zakodowane hasło root umożliwia zdalny RCE przez SSH

CVE-2025-26345CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: brak uwierzytelnienia umożliwia zmianę uprawnień grup użytkowników