CVE-2025-26366 – An unauthenticated remote attacker can disable ... (How to Fix)

Q: What is the severity of CVE-2025-26366?

CVE-2025-26366 has a CVSS score of 7.5 (HIGH). An unauthenticated remote attacker can disable front panel authentication in Q-Free MaxTime systems via crafted HTTP requests. This affects all Q-Free MaxTime installations running version 2.11.0 or earlier. The vulnerability allows attackers to bypass authentication controls without credentials.

📋 TL;DR

An unauthenticated remote attacker can disable front panel authentication in Q-Free MaxTime systems via crafted HTTP requests. This affects all Q-Free MaxTime installations running version 2.11.0 or earlier. The vulnerability allows attackers to bypass authentication controls without credentials.

💻 Affected Systems

Products:

Q-Free MaxTime

Versions: <= 2.11.0

Operating Systems: Not specified in CVE

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The vulnerability is in the maxprofile/setup/routes.lua file.

📦 What is this software?

Maxtime by Q Free

View all CVEs affecting Maxtime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized administrative access to the MaxTime system, potentially manipulating traffic data, disabling enforcement, or compromising the entire system.

🟠

Likely Case

Attackers disable authentication on the front panel, allowing unauthorized access to configuration and operational controls.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to the isolated MaxTime system only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting specific HTTP requests but does not require authentication or advanced technical skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 2.11.0

Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26366

Restart Required: No

Instructions:

1. Contact Q-Free for updated version >2.11.0. 2. Apply the patch following vendor instructions. 3. Verify the fix by testing authentication functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to MaxTime systems to authorized management networks only.

Configure firewall rules to block external access to MaxTime HTTP ports

Access Control Lists

all

Implement IP-based access controls to limit which systems can communicate with MaxTime.

Add ACL rules to permit only trusted IP addresses to MaxTime services

🧯 If You Can't Patch

Isolate MaxTime systems on separate VLANs with strict firewall rules
Implement network monitoring for suspicious HTTP requests to MaxTime endpoints

🔍 How to Verify

Check if Vulnerable:

Check MaxTime version via admin interface or configuration files. If version <=2.11.0, system is vulnerable.

Check Version:

Check version in MaxTime web interface or configuration files (specific command depends on installation)

Verify Fix Applied:

Test authentication functionality after patch application. Attempt to access front panel without credentials should fail.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to maxprofile/setup/routes.lua endpoints
Authentication failure logs followed by successful access

Network Indicators:

HTTP POST/PUT requests to authentication-related endpoints from untrusted sources

SIEM Query:

source="maxtime" AND (uri="/maxprofile/setup/" OR uri CONTAINS "routes.lua")

📊 Metadata

CVE ID: CVE-2025-26366

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-306

EPSS Score: 0.14% exploit probability (34.8th percentile)

Published: February 12, 2025

Last Updated: October 28, 2025

🔗 References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26366 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26366, you might also want to check these: