CVE-2025-26344
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to enable passwordless guest mode in Q-Free MaxTime systems via crafted HTTP requests. It affects all Q-Free MaxTime installations running version 2.11.0 or earlier. Attackers can bypass authentication controls without any credentials.
💻 Affected Systems
- Q-Free MaxTime
📦 What is this software?
Maxtime by Q Free
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing unauthorized access to all MaxTime functionality, potential data exfiltration, and disruption of parking/traffic management operations.
Likely Case
Unauthorized access to guest mode features, potential manipulation of parking/traffic data, and privilege escalation within the system.
If Mitigated
Limited impact if network segmentation and authentication controls prevent access to the vulnerable endpoint.
🎯 Exploit Status
Crafted HTTP requests to the vulnerable endpoint can enable guest mode without authentication. No special tools or advanced skills required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 2.11.0
Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26344
Restart Required: Yes
Instructions:
1. Contact Q-Free for patched version >2.11.0. 2. Backup current configuration. 3. Apply the update following vendor instructions. 4. Restart MaxTime services. 5. Verify guest mode requires authentication.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to MaxTime web interface using firewall rules
iptables -A INPUT -p tcp --dport [MaxTime-port] -s [trusted-networks] -j ACCEPT
iptables -A INPUT -p tcp --dport [MaxTime-port] -j DROP
Disable Guest Mode
allTemporarily disable guest mode functionality if not required
Edit MaxTime configuration to disable guest mode features
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MaxTime systems from untrusted networks
- Deploy web application firewall (WAF) rules to block requests to /maxprofile/guest-mode/ endpoints
🔍 How to Verify
Check if Vulnerable:
Check if MaxTime version is <=2.11.0 and test if unauthenticated HTTP POST to guest mode endpoint succeedsCheck Version:
Check MaxTime admin interface or configuration files for version informationVerify Fix Applied:
Verify version >2.11.0 and confirm guest mode endpoints require proper authentication📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to /maxprofile/guest-mode/ endpoints
- Guest mode activation without authentication logs
Network Indicators:
- HTTP traffic to MaxTime guest mode endpoints from unauthorized sources
- Unusual guest mode activation patterns
SIEM Query:
source="MaxTime" AND (url_path="/maxprofile/guest-mode/" OR event="guest_mode_activation") AND user="anonymous"