CVE-2025-1100
📋 TL;DR
CVE-2025-1100 is a critical vulnerability in Q-Free MaxTime traffic management software where a hard-coded root password allows unauthenticated remote attackers to gain complete system control via SSH. This affects all organizations running Q-Free MaxTime version 2.11.0 or earlier. Attackers can execute arbitrary code with root privileges, potentially compromising entire traffic management systems.
💻 Affected Systems
- Q-Free MaxTime
📦 What is this software?
Maxtime by Q Free
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover allowing attackers to disrupt traffic management systems, manipulate traffic signals, exfiltrate sensitive data, or deploy ransomware across the network.
Likely Case
Attackers gain persistent root access to install backdoors, pivot to other systems, and maintain long-term control over traffic infrastructure.
If Mitigated
If SSH is disabled or network segmentation isolates the system, impact is limited to denial of service if attackers can still reach the system.
🎯 Exploit Status
Exploitation requires only SSH access and knowledge of the hard-coded password. No authentication or special conditions needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.11.1 or later
Vendor Advisory: https://www.q-free.com/security-advisories
Restart Required: Yes
Instructions:
1. Contact Q-Free support for patch files. 2. Backup configuration and data. 3. Apply the patch following vendor instructions. 4. Restart the MaxTime service. 5. Verify SSH access requires proper authentication.
🔧 Temporary Workarounds
Disable SSH Service
linuxTemporarily disable SSH to prevent remote exploitation while patching
sudo systemctl stop ssh
sudo systemctl disable ssh
Block SSH Port with Firewall
linuxBlock SSH access at network level while maintaining service functionality
sudo iptables -A INPUT -p tcp --dport 22 -j DROP
sudo iptables-save > /etc/iptables/rules.v4
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MaxTime systems from untrusted networks
- Deploy host-based intrusion detection and monitor for SSH authentication attempts using the hard-coded password
🔍 How to Verify
Check if Vulnerable:
Attempt SSH login with the known hard-coded password (check security advisories for specific password). If login succeeds without proper authentication, system is vulnerable.Check Version:
Check MaxTime web interface or configuration files for version information, or contact Q-Free supportVerify Fix Applied:
Verify SSH login with hard-coded password fails and requires proper authentication. Check MaxTime version is >2.11.0.📡 Detection & Monitoring
Log Indicators:
- Failed SSH authentication attempts followed by successful login with specific username
- SSH log entries showing root login from unexpected sources
- Authentication logs showing password-based SSH login
Network Indicators:
- SSH connections to port 22 from unexpected IP addresses
- Unusual SSH traffic patterns outside maintenance windows
SIEM Query:
source="auth.log" AND "sshd" AND ("Accepted password" OR "session opened") AND user="root" | stats count by src_ip