CVE-2025-26364 – An unauthenticated remote attacker can disable ... (How to Fix)

Q: What is the severity of CVE-2025-26364?

CVE-2025-26364 has a CVSS score of 7.5 (HIGH). An unauthenticated remote attacker can disable authentication profile servers in Q-Free MaxTime traffic management systems by sending crafted HTTP requests. This affects all Q-Free MaxTime installations running version 2.11.0 or earlier. The vulnerability allows attackers to potentially disrupt authentication services without requiring valid credentials.

📋 TL;DR

An unauthenticated remote attacker can disable authentication profile servers in Q-Free MaxTime traffic management systems by sending crafted HTTP requests. This affects all Q-Free MaxTime installations running version 2.11.0 or earlier. The vulnerability allows attackers to potentially disrupt authentication services without requiring valid credentials.

💻 Affected Systems

Products:

Q-Free MaxTime

Versions: ≤ 2.11.0

Operating Systems: Not OS-specific - affects the MaxTime application

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The vulnerability is in the maxprofile/setup/routes.lua file.

📦 What is this software?

Maxtime by Q Free

View all CVEs affecting Maxtime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of authentication services leading to unauthorized access to traffic management systems, potential manipulation of traffic signals, and system-wide authentication bypass.

🟠

Likely Case

Temporary disruption of authentication services requiring manual intervention to restore, potentially causing authentication failures for legitimate users.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication controls in place, though authentication services may still be temporarily affected.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via HTTP requests without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - While still exploitable internally, network segmentation and internal access controls can reduce the attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests to the vulnerable endpoint. No authentication is required, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 2.11.0

Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26364

Restart Required: No

Instructions:

1. Contact Q-Free for the latest patched version. 2. Upgrade MaxTime to version newer than 2.11.0. 3. Verify the patch is applied by checking the maxprofile/setup/routes.lua file.

🔧 Temporary Workarounds

Network Access Control

all

Restrict network access to MaxTime administration interfaces

Web Application Firewall

all

Implement WAF rules to block crafted HTTP requests to vulnerable endpoints

🧯 If You Can't Patch

Implement strict network segmentation to isolate MaxTime servers from untrusted networks
Deploy intrusion detection systems to monitor for crafted HTTP requests targeting the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check MaxTime version via administration interface or configuration files. If version is 2.11.0 or earlier, the system is vulnerable.

Check Version:

Check MaxTime administration interface or configuration files for version information

Verify Fix Applied:

Verify MaxTime version is greater than 2.11.0 and test that crafted HTTP requests to the vulnerable endpoint no longer disable authentication services.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to maxprofile/setup endpoints from unauthenticated sources
Authentication service disruption events
Unexpected authentication profile server shutdowns

Network Indicators:

HTTP POST/PUT requests to vulnerable endpoints without authentication headers
Traffic patterns indicating authentication service disruption

SIEM Query:

source="maxtime" AND (uri="/maxprofile/setup" OR event="authentication_disabled") AND src_ip NOT IN authenticated_ips

📊 Metadata

CVE ID: CVE-2025-26364

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-306

EPSS Score: 0.14% exploit probability (34.8th percentile)

Published: February 12, 2025

Last Updated: October 28, 2025

🔗 References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26364 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26364, you might also want to check these: