CVE-2025-26367 – This vulnerability allows authenticated low-pri... (How to Fix)

📋 TL;DR

This vulnerability allows authenticated low-privileged attackers to create arbitrary user groups in Q-Free MaxTime traffic management systems. Attackers can escalate privileges by creating administrative groups or manipulate system access controls. Organizations using Q-Free MaxTime version 2.11.0 or earlier are affected.

💻 Affected Systems

Products:

Q-Free MaxTime

Versions: Versions ≤ 2.11.0

Operating Systems: Not OS-specific - application vulnerability

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access with any user account, including low-privileged accounts.

📦 What is this software?

Maxtime by Q Free

View all CVEs affecting Maxtime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers create administrative user groups, gain full system control, manipulate traffic management operations, and potentially disrupt critical infrastructure.

🟠

Likely Case

Attackers create unauthorized user groups to escalate privileges, bypass access controls, and gain unauthorized access to sensitive traffic management functions.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact is limited to unauthorized group creation within the application scope.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and crafting HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version > 2.11.0

Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26367

Restart Required: Yes

Instructions:

1. Contact Q-Free for patched version >2.11.0
2. Backup current configuration
3. Apply the update following vendor instructions
4. Restart MaxTime services
5. Verify authorization controls are functioning

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to MaxTime web interface to authorized users only

Web Application Firewall Rules

all

Implement WAF rules to block unauthorized POST requests to /maxprofile/user-groups/ endpoints

🧯 If You Can't Patch

Implement strict network segmentation to isolate MaxTime systems from untrusted networks
Enforce principle of least privilege for all user accounts and regularly audit user group memberships

🔍 How to Verify

Check if Vulnerable:

Check MaxTime version via web interface or configuration files. If version ≤2.11.0, system is vulnerable.

Check Version:

Check web interface admin panel or configuration files for version information

Verify Fix Applied:

After patching, attempt to create user groups with low-privileged accounts - should be denied. Verify version >2.11.0.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /maxprofile/user-groups/ endpoints
User group creation events from non-admin accounts
Multiple failed authorization attempts

Network Indicators:

HTTP POST requests to vulnerable endpoints from unexpected sources
Unusual traffic patterns to MaxTime web interface

SIEM Query:

source="maxtime" AND (uri_path="/maxprofile/user-groups/" AND http_method="POST") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2025-26367

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.16% exploit probability (36.7th percentile)

Published: February 12, 2025

Last Updated: April 10, 2025

🔗 References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26367 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26367, you might also want to check these: