CVE-2025-26352 – This path traversal vulnerability in Q-Free Max... (How to Fix)

Q: What is the severity of CVE-2025-26352?

CVE-2025-26352 has a CVSS score of 6.5 (MEDIUM). This path traversal vulnerability in Q-Free MaxTime allows authenticated remote attackers to delete sensitive files by manipulating HTTP requests. It affects all installations running version 2.11.0 or earlier. Attackers need valid credentials but can potentially delete critical system files.

📋 TL;DR

This path traversal vulnerability in Q-Free MaxTime allows authenticated remote attackers to delete sensitive files by manipulating HTTP requests. It affects all installations running version 2.11.0 or earlier. Attackers need valid credentials but can potentially delete critical system files.

💻 Affected Systems

Products:

Q-Free MaxTime

Versions: <= 2.11.0

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. Authentication is required but standard user credentials may be sufficient.

📦 What is this software?

Maxtime by Q Free

View all CVEs affecting Maxtime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical operating system files, configuration files, or application binaries leading to service disruption or system crash.

🟠

Likely Case

Deletion of application configuration files, logs, or user data causing service disruption, data loss, and potential downtime.

🟢

If Mitigated

Limited impact to non-critical files if proper file permissions and access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access but exploitation is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 2.11.0

Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26352

Restart Required: Yes

Instructions:

1. Contact Q-Free for updated version >2.11.0. 2. Backup configuration and data. 3. Install the updated version. 4. Restart the MaxTime service. 5. Verify functionality.

🔧 Temporary Workarounds

Restrict File Permissions

linux

Set strict file permissions on sensitive directories to prevent deletion

chmod 750 /path/to/sensitive/directories
chown root:root /path/to/sensitive/directories

Network Segmentation

all

Restrict access to MaxTime administration interface to trusted networks only

🧯 If You Can't Patch

Implement strict access controls and multi-factor authentication for all MaxTime users
Deploy file integrity monitoring to detect unauthorized file deletions

🔍 How to Verify

Check if Vulnerable:

Check MaxTime version in administration interface or configuration files. If version is 2.11.0 or earlier, system is vulnerable.

Check Version:

Check web interface or configuration files for version information

Verify Fix Applied:

Verify version is >2.11.0 and test template deletion functionality with path traversal attempts.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with unusual file paths in template deletion endpoints
Multiple failed file deletion attempts
Successful deletion of files outside expected directories

Network Indicators:

HTTP POST requests to template deletion endpoints with path traversal sequences (../, ..\)
Unusual patterns of file deletion requests

SIEM Query:

source="maxtime" AND (uri="*delete*" OR uri="*template*") AND (uri="*../*" OR uri="*..\*")

📊 Metadata

CVE ID: CVE-2025-26352

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-35

EPSS Score: 1.8% exploit probability (82.5th percentile)

Published: February 12, 2025

Last Updated: October 28, 2025

🔗 References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26352 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26352, you might also want to check these: