CVE-2025-26343
CVE-2025-26343
In short
Q-Free MaxTime versions 2.11.0 and earlier have weak PIN authentication that lets attackers guess user passwords through repeated HTTP requests. This allows unauthorized access to the system without needing valid credentials.
Technical detail
CWE-1390 weak authentication vulnerability in Q-Free MaxTime ≤2.11.0 PIN mechanism enables unauthenticated remote attackers to perform brute-force attacks via crafted HTTP requests. The attack requires no prior authentication and can enumerate valid PINs through multiple successive attempts, leading to unauthorized account access.
Summary generated and translated by AI from the official description.
A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Q-Free · MaxTimeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →