CVE-2025-26347
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to edit user permissions in Q-Free MaxTime traffic management systems via crafted HTTP requests. It affects all Q-Free MaxTime installations running version 2.11.0 or earlier. Attackers can exploit this without any credentials.
💻 Affected Systems
- Q-Free MaxTime
📦 What is this software?
Maxtime by Q Free
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers can create administrative accounts, disable legitimate users, and potentially gain full control over traffic management systems, leading to traffic disruption or manipulation.
Likely Case
Attackers modify user permissions to gain unauthorized access, escalate privileges, or disrupt normal operations by disabling legitimate users.
If Mitigated
If proper network segmentation and authentication controls are in place, impact is limited to unauthorized permission changes within the MaxTime application.
🎯 Exploit Status
The vulnerability requires only crafted HTTP requests to specific endpoints, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 2.11.0
Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26347
Restart Required: Yes
Instructions:
1. Contact Q-Free for updated version >2.11.0. 2. Backup current configuration. 3. Apply the patch/upgrade. 4. Restart MaxTime services. 5. Verify authentication is required for permission management functions.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to MaxTime web interface to authorized IP addresses only.
iptables -A INPUT -p tcp --dport [MaxTime_port] -s [trusted_network] -j ACCEPT
iptables -A INPUT -p tcp --dport [MaxTime_port] -j DROP
Web Application Firewall
allDeploy WAF rules to block unauthorized permission modification requests.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MaxTime systems from untrusted networks
- Deploy intrusion detection systems to monitor for permission modification attempts
🔍 How to Verify
Check if Vulnerable:
Check if MaxTime version is ≤2.11.0 and examine maxprofile/menu/routes.lua for missing authentication on permission editing endpoints.Check Version:
Check MaxTime web interface or configuration files for version informationVerify Fix Applied:
After patching, attempt unauthenticated HTTP requests to permission editing endpoints - they should return authentication errors.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST/PUT requests to permission-related endpoints
- User permission changes from unexpected IP addresses
- Failed authentication attempts followed by permission modifications
Network Indicators:
- HTTP requests to /maxprofile/menu/ endpoints without authentication headers
- Traffic patterns showing permission changes from external sources
SIEM Query:
source="MaxTime" AND (uri="/maxprofile/menu/*" AND NOT auth_success="true")