CVE-2025-26372
📋 TL;DR
This vulnerability allows authenticated low-privileged attackers to remove users from groups in Q-Free MaxTime systems via crafted HTTP requests. It affects Q-Free MaxTime versions up to and including 2.11.0. Organizations using vulnerable versions are at risk of unauthorized group membership changes.
💻 Affected Systems
- Q-Free MaxTime
📦 What is this software?
Maxtime by Q Free
⚠️ Risk & Real-World Impact
Worst Case
Attackers could remove administrators from critical groups, disrupting system management and potentially enabling privilege escalation or denial of service.
Likely Case
Low-privileged users removing other users from groups they shouldn't have access to, causing operational disruptions and unauthorized access changes.
If Mitigated
With proper authorization controls and monitoring, impact is limited to logged attempts with no successful unauthorized modifications.
🎯 Exploit Status
Requires authenticated access and crafting specific HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version > 2.11.0
Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26372
Restart Required: No
Instructions:
1. Contact Q-Free for updated version >2.11.0. 2. Backup current configuration. 3. Apply the update following vendor instructions. 4. Verify authorization checks are properly implemented.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to MaxTime user group management endpoints to authorized administrators only.
Enhanced Monitoring
allImplement strict monitoring of user group modification requests and alert on suspicious patterns.
🧯 If You Can't Patch
- Implement network segmentation to isolate MaxTime systems from general user access
- Deploy web application firewall rules to block suspicious user group modification patterns
🔍 How to Verify
Check if Vulnerable:
Check MaxTime version via admin interface or configuration files. If version ≤2.11.0, system is vulnerable.Check Version:
Check MaxTime web interface or configuration files for version informationVerify Fix Applied:
After patching, test that low-privileged users cannot remove users from groups via HTTP requests to the affected endpoint.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /maxprofile/user-groups/ endpoints from non-admin users
- Unauthorized user group modification attempts in application logs
Network Indicators:
- HTTP traffic to user group management endpoints from unexpected source IPs
- Pattern of group modification requests from low-privileged accounts
SIEM Query:
source="maxtime" AND (uri_path="/maxprofile/user-groups/" OR event="group_modification") AND user_role!="admin"