CVE-2025-26356
📋 TL;DR
This path traversal vulnerability in Q-Free MaxTime allows authenticated remote attackers to overwrite sensitive files by manipulating file paths in HTTP requests. It affects Q-Free MaxTime versions up to and including 2.11.0. Attackers must have valid authentication credentials to exploit this vulnerability.
💻 Affected Systems
- Q-Free MaxTime
📦 What is this software?
Maxtime by Q Free
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could overwrite critical system files, configuration files, or application files, potentially leading to system compromise, data loss, or service disruption.
Likely Case
Attackers with valid credentials could modify application files, configuration files, or write malicious content to the system, potentially enabling further attacks or disrupting operations.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable endpoint. Attackers must craft specific HTTP requests with path traversal sequences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version > 2.11.0
Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26356
Restart Required: No
Instructions:
1. Upgrade to a version of Q-Free MaxTime newer than 2.11.0. 2. Apply the vendor-provided patch if available. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation on the setActive endpoint to reject any requests containing path traversal sequences (../, ..\, etc.)
Access Restriction
allRestrict network access to the MaxTime API to only trusted IP addresses or networks.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MaxTime systems from critical infrastructure
- Enhance monitoring and alerting for suspicious file write operations and path traversal patterns in HTTP requests
🔍 How to Verify
Check if Vulnerable:
Check the MaxTime version number. If it's 2.11.0 or earlier, the system is vulnerable. Test the /maxtime/api/database/database.lua setActive endpoint with path traversal payloads.Check Version:
Check the MaxTime administration interface or configuration files for version information.Verify Fix Applied:
After patching or upgrading, attempt to exploit the vulnerability using the same techniques. Successful exploitation should no longer be possible.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /maxtime/api/database/database.lua containing ../ or ..\ sequences
- Unexpected file write operations in system logs
- Failed authentication attempts followed by path traversal patterns
Network Indicators:
- HTTP POST/PUT requests to the vulnerable endpoint with unusual path parameters
- Traffic patterns indicating file manipulation attempts
SIEM Query:
source="web_server_logs" AND (uri="/maxtime/api/database/database.lua" AND (message="../" OR message="..\\"))