CVE-2025-26362 | HackTesting

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests.

Credits

Diego Giubertoni of Nozomi Networks found this bug during a security research activity.

Q-Free

References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26362