CVE-2025-26365
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to enable front panel authentication on Q-Free MaxTime systems via crafted HTTP requests. It affects Q-Free MaxTime versions up to and including 2.11.0. Attackers can potentially gain unauthorized access to system configuration functions.
💻 Affected Systems
- Q-Free MaxTime
📦 What is this software?
Maxtime by Q Free
⚠️ Risk & Real-World Impact
Worst Case
An attacker could enable front panel authentication and gain administrative control over the MaxTime system, potentially disrupting traffic management operations or using the system as an entry point into connected networks.
Likely Case
Attackers would enable front panel authentication to gain unauthorized access to system settings, potentially modifying configuration, disrupting operations, or extracting sensitive information.
If Mitigated
With proper network segmentation and access controls, the impact would be limited to the MaxTime system itself without lateral movement to other systems.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable endpoint. No authentication is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version > 2.11.0
Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26365
Restart Required: No
Instructions:
1. Contact Q-Free for updated MaxTime version > 2.11.0. 2. Apply the update following vendor instructions. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to MaxTime web interface to trusted IP addresses only
Use firewall rules to limit access to MaxTime ports (typically 80/443) to authorized management networks
Web Application Firewall
allDeploy WAF rules to block crafted HTTP requests to /maxprofile/setup/ endpoints
Configure WAF to block requests containing suspicious patterns targeting the vulnerable route
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MaxTime systems from untrusted networks
- Monitor and alert on any HTTP requests to /maxprofile/setup/routes.lua or similar endpoints from unauthorized sources
🔍 How to Verify
Check if Vulnerable:
Check MaxTime version via web interface or system configuration. If version ≤ 2.11.0, system is vulnerable.Check Version:
Check MaxTime web interface admin panel or consult system documentation for version informationVerify Fix Applied:
After patching, attempt to reproduce the vulnerability by sending crafted HTTP requests to the vulnerable endpoint. Successful requests should be blocked or require authentication.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /maxprofile/setup/routes.lua from unauthenticated sources
- Unexpected authentication configuration changes
Network Indicators:
- Crafted HTTP POST/GET requests to MaxTime setup endpoints from unauthorized IPs
SIEM Query:
source_ip NOT IN (trusted_ips) AND destination_port IN (80,443) AND url_path CONTAINS '/maxprofile/setup/'