CVE-2025-26373
📋 TL;DR
This vulnerability allows authenticated low-privileged attackers to enumerate user accounts in Q-Free MaxTime systems via crafted HTTP requests to the user endpoint. It affects organizations using Q-Free MaxTime version 2.11.0 or earlier. Attackers can gather user information that could facilitate further attacks.
💻 Affected Systems
- Q-Free MaxTime
📦 What is this software?
Maxtime by Q Free
⚠️ Risk & Real-World Impact
Worst Case
Attackers enumerate all system users, identify administrative accounts, and use this information for targeted attacks, privilege escalation, or credential stuffing campaigns.
Likely Case
Attackers gather user lists to identify high-value targets for social engineering, password spraying, or targeted attacks against specific individuals.
If Mitigated
With proper network segmentation and monitoring, impact is limited to user enumeration without direct access to sensitive data or system compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via crafted HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 2.11.0
Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26373
Restart Required: Yes
Instructions:
1. Contact Q-Free for updated version >2.11.0. 2. Backup configuration and data. 3. Apply the patch/upgrade. 4. Restart MaxTime services. 5. Verify functionality.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to MaxTime user endpoints to authorized IPs only
Web Application Firewall Rules
allBlock requests to /maxprofile/users/ endpoint patterns
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MaxTime systems from untrusted networks
- Enhance monitoring for unusual access patterns to user enumeration endpoints
🔍 How to Verify
Check if Vulnerable:
Check MaxTime version via admin interface or configuration files. If version ≤2.11.0, system is vulnerable.Check Version:
Check MaxTime web interface or configuration files for version informationVerify Fix Applied:
After patching, verify version >2.11.0 and test that authenticated low-privileged users cannot enumerate users via the affected endpoint.📡 Detection & Monitoring
Log Indicators:
- Multiple HTTP GET requests to /maxprofile/users/ endpoints from single low-privileged accounts
- Unusual pattern of user enumeration attempts
Network Indicators:
- HTTP traffic to user enumeration endpoints with crafted parameters
- Bursts of requests to user-related API endpoints
SIEM Query:
source="maxtime" AND (uri_path="/maxprofile/users/" OR uri_path CONTAINS "users") AND http_method="GET" AND user_role="low_privilege"