CVE-2025-26359 in Q-Free MaxTime
Summary
by MITRE • 02/12/2025
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/28/2025
The vulnerability identified as CVE-2025-26359 represents a critical authentication flaw classified under CWE-306, which specifically addresses missing authentication for critical functions. This weakness exists within the Q-Free MaxTime application version 2.11.0 and earlier, affecting the maxprofile/accounts/routes.lua component. The flaw allows unauthenticated remote attackers to exploit a critical function by crafting specially designed HTTP requests that can reset user PINs without proper authorization. This represents a fundamental failure in the application's security architecture where sensitive operations that should require authentication are accessible to any remote user.
The technical implementation of this vulnerability stems from inadequate input validation and authentication checks within the application's routing logic. The maxprofile/accounts/routes.lua file contains endpoints that handle user account management functions, specifically PIN reset operations. When attackers send crafted HTTP requests to these endpoints, the application fails to verify the authenticity of the requesting user, allowing malicious actors to perform unauthorized PIN resets. This flaw operates at the application layer and leverages the absence of proper session management or authentication tokens that should validate user identity before executing critical functions.
The operational impact of this vulnerability is severe and multifaceted across multiple security domains. An unauthenticated attacker can compromise user accounts by resetting PINs, potentially gaining unauthorized access to sensitive data and system functionalities. This vulnerability directly violates the principle of least privilege and can lead to privilege escalation scenarios where attackers can assume the identity of legitimate users. The attack vector is particularly concerning as it requires no prior authentication credentials, making it accessible to anyone who can reach the target system over the network. This weakness creates a persistent security risk that can be exploited repeatedly without detection, potentially leading to data breaches, unauthorized system access, and complete account compromise.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term architectural improvements. The primary solution involves implementing proper authentication checks before allowing any critical function execution, specifically requiring valid user credentials or session tokens before permitting PIN reset operations. Security controls should include mandatory authentication verification, proper input sanitization, and implementation of rate limiting to prevent automated exploitation attempts. Organizations should also implement proper access controls and audit logging to detect unauthorized access attempts. This vulnerability aligns with ATT&CK technique T1566 which covers social engineering tactics, and represents a failure in the authentication and access control domains of cybersecurity frameworks. The remediation process should include immediate patching of affected versions, implementation of proper authentication mechanisms, and comprehensive security testing to ensure that similar vulnerabilities do not exist in other critical functions. Additionally, network segmentation and firewall rules should be configured to limit access to administrative endpoints, while regular security assessments should be conducted to identify and address similar authentication gaps in the application's architecture.