CVE-2025-26339

Published Feb 12, 2025

Last updated 10 days ago

CVSS critical 9.8

Overview

Description: A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP requests.
Source: prodsec@nozominetworks.com
NVD status: Analyzed
Products: maxtime

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

prodsec@nozominetworks.com: CWE-306

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
            "versionEndIncluding": "2.11.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.