CVE-2025-26354
📋 TL;DR
This path traversal vulnerability in Q-Free MaxTime allows authenticated remote attackers to overwrite sensitive files by manipulating file paths in HTTP requests to the copy endpoint. It affects all Q-Free MaxTime installations running version 2.11.0 or earlier. Attackers must have valid authentication credentials to exploit this vulnerability.
💻 Affected Systems
- Q-Free MaxTime
📦 What is this software?
Maxtime by Q Free
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through overwriting critical system files, configuration files, or authentication databases, potentially leading to service disruption, data loss, or remote code execution.
Likely Case
Unauthorized modification of application files leading to service disruption, data corruption, or privilege escalation within the MaxTime application.
If Mitigated
Limited impact with proper file permission controls and monitoring, potentially only affecting non-critical application files.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the API endpoint structure. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version > 2.11.0
Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26354
Restart Required: No
Instructions:
1. Contact Q-Free for the latest patched version. 2. Backup current configuration and data. 3. Install the updated version following vendor instructions. 4. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Restrict API Access
allLimit network access to the MaxTime API endpoints to only trusted IP addresses or networks.
Use firewall rules to restrict access to port 80/443 on MaxTime server to authorized IPs only
File System Permissions
Linux/UnixSet restrictive permissions on sensitive directories to prevent unauthorized file modifications.
chmod 755 /path/to/maxtime/directories
chown root:root /path/to/sensitive/files
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MaxTime servers from untrusted networks
- Enable detailed logging of all API requests and monitor for suspicious file path patterns
🔍 How to Verify
Check if Vulnerable:
Check the MaxTime version in the application interface or configuration files. If version is 2.11.0 or earlier, the system is vulnerable.Check Version:
Check the MaxTime web interface or configuration files for version informationVerify Fix Applied:
Verify the installed version is greater than 2.11.0 and test the copy endpoint with path traversal attempts to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /maxtime/api/database/database.lua with unusual file paths
- Multiple failed file operations with path traversal patterns
- Unauthorized file modification attempts
Network Indicators:
- HTTP POST requests to copy endpoint with ../ patterns in parameters
- Unusual file paths in API requests
SIEM Query:
source="maxtime_logs" AND (uri="/maxtime/api/database/database.lua" AND (param CONTAINS "../" OR param CONTAINS "..\\"))