CVE-2025-26359
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to reset user PINs in Q-Free MaxTime systems via crafted HTTP requests. It affects all Q-Free MaxTime installations running version 2.11.0 or earlier. Attackers can compromise user accounts without any authentication.
💻 Affected Systems
- Q-Free MaxTime
📦 What is this software?
Maxtime by Q Free
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers reset all user PINs, lock legitimate users out, and potentially gain administrative access to the MaxTime system.
Likely Case
Attackers reset specific user PINs to gain unauthorized access to those accounts, potentially manipulating time/attendance data or accessing sensitive information.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to the MaxTime application layer only.
🎯 Exploit Status
The vulnerability requires only crafted HTTP requests to the vulnerable endpoint with no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 2.11.0
Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26359
Restart Required: Yes
Instructions:
1. Contact Q-Free for patched version >2.11.0. 2. Backup current installation. 3. Apply the patch/upgrade. 4. Restart MaxTime services. 5. Verify fix by testing PIN reset functionality.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to MaxTime web interface to trusted IPs only
iptables -A INPUT -p tcp --dport [MaxTime_port] -s [trusted_network] -j ACCEPT
iptables -A INPUT -p tcp --dport [MaxTime_port] -j DROP
Web Application Firewall
allImplement WAF rules to block requests to /maxprofile/accounts/* endpoints from unauthenticated sources
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MaxTime from untrusted networks
- Enable additional authentication layers (2FA) for MaxTime access and monitor for unauthorized PIN reset attempts
🔍 How to Verify
Check if Vulnerable:
Check if MaxTime version is <=2.11.0 and test if unauthenticated PIN reset requests to /maxprofile/accounts/ endpoints succeedCheck Version:
Check MaxTime web interface admin panel or configuration files for version informationVerify Fix Applied:
After patching, verify that unauthenticated requests to PIN reset endpoints return authentication errors (401/403)📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST/PUT requests to /maxprofile/accounts/* endpoints
- Multiple failed authentication attempts followed by PIN reset requests
- Unusual PIN reset activity from unexpected IP addresses
Network Indicators:
- HTTP requests to /maxprofile/accounts/routes.lua or similar endpoints without authentication headers
- Traffic patterns showing PIN reset attempts from external IPs
SIEM Query:
source="MaxTime" AND (uri_path="/maxprofile/accounts/*") AND (http_status="200" OR http_status="201") AND NOT (auth_token EXISTS)