CVE-2025-26368 – A missing authorization vulnerability in Q-Free... (How to Fix)

Q: What is the severity of CVE-2025-26368?

CVE-2025-26368 has a CVSS score of 8.1 (HIGH). A missing authorization vulnerability in Q-Free MaxTime allows authenticated low-privileged users to delete user groups via crafted HTTP requests. This affects all installations running version 2.11.0 or earlier. Attackers could disrupt system administration and potentially escalate privileges by removing security groups.

📋 TL;DR

A missing authorization vulnerability in Q-Free MaxTime allows authenticated low-privileged users to delete user groups via crafted HTTP requests. This affects all installations running version 2.11.0 or earlier. Attackers could disrupt system administration and potentially escalate privileges by removing security groups.

💻 Affected Systems

Products:

Q-Free MaxTime

Versions: ≤ 2.11.0

Operating Systems: All supported OS for MaxTime

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations with the vulnerable version are affected. Requires authenticated access to the web interface.

📦 What is this software?

Maxtime by Q Free

View all CVEs affecting Maxtime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation by removing administrative groups, followed by lateral movement and data exfiltration.

🟠

Likely Case

Disruption of operations by deleting critical user groups, causing authentication failures and service interruptions.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though unauthorized group deletions could still occur.

🌐 Internet-Facing: HIGH if MaxTime web interface is exposed to internet, as authenticated attackers can exploit remotely.

🏢 Internal Only: HIGH as authenticated internal users (including low-privileged accounts) can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and knowledge of HTTP request crafting. No public exploit code available as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version > 2.11.0

Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26368

Restart Required: No

Instructions:

1. Contact Q-Free for patched version >2.11.0. 2. Backup current configuration. 3. Apply vendor-provided patch. 4. Verify authorization checks are properly implemented.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to MaxTime web interface to authorized administrators only

Enhanced Monitoring

all

Monitor for unauthorized DELETE requests to user-groups endpoints

🧯 If You Can't Patch

Implement strict network segmentation to isolate MaxTime from non-administrative networks
Enforce principle of least privilege and regularly audit user permissions

🔍 How to Verify

Check if Vulnerable:

Check MaxTime version via web interface or configuration files. If version ≤2.11.0, system is vulnerable.

Check Version:

Check web interface admin panel or consult MaxTime documentation for version check command

Verify Fix Applied:

After patching, attempt to delete user groups with low-privileged account - should be denied. Verify version >2.11.0.

📡 Detection & Monitoring

Log Indicators:

HTTP DELETE requests to /user-groups/* endpoints from non-admin users
Unauthorized access attempts to group management functions

Network Indicators:

Unusual DELETE request patterns to MaxTime API
Traffic to user-group management endpoints from unexpected sources

SIEM Query:

source="maxtime" AND (method="DELETE" AND uri="/user-groups/*") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2025-26368

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-862

EPSS Score: 0.27% exploit probability (49.8th percentile)

Published: February 12, 2025

Last Updated: April 10, 2025

🔗 References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26368 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26368, you might also want to check these: