CVE-2025-26375
📋 TL;DR
This vulnerability allows authenticated low-privileged users in Q-Free MaxTime systems to create new user accounts with arbitrary administrative privileges through crafted HTTP requests. It affects all Q-Free MaxTime installations running version 2.11.0 or earlier. Attackers can escalate privileges to gain full system control.
💻 Affected Systems
- Q-Free MaxTime
📦 What is this software?
Maxtime by Q Free
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative control over the MaxTime system, allowing them to modify configurations, access sensitive data, disrupt operations, or establish persistence for further attacks.
Likely Case
Privilege escalation leading to unauthorized administrative access, potentially enabling data theft, system manipulation, or lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, monitoring, and least privilege principles are enforced, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable endpoint, but the attack itself is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version > 2.11.0
Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26375
Restart Required: No
Instructions:
1. Contact Q-Free for the latest patched version. 2. Backup current configuration and data. 3. Apply the vendor-provided patch or upgrade to version > 2.11.0. 4. Verify the fix by testing user creation functionality.
🔧 Temporary Workarounds
Restrict Access to Vulnerable Endpoint
allImplement network access controls or web application firewall rules to restrict access to the /maxprofile/users/ endpoint.
Implement Additional Authorization Layer
allAdd middleware or proxy authentication that validates user privileges before allowing user creation requests.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MaxTime systems from critical infrastructure
- Enhance monitoring and alerting for unusual user creation activities or privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check MaxTime version via admin interface or configuration files. If version is 2.11.0 or earlier, the system is vulnerable.Check Version:
Check MaxTime web interface or configuration files for version informationVerify Fix Applied:
After patching, attempt to create a user with elevated privileges using a low-privileged account. This should fail with proper authorization errors.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /maxprofile/users/ endpoints
- User creation events from non-admin accounts
- Multiple failed authorization attempts followed by successful user creation
Network Indicators:
- HTTP POST requests to user creation endpoints from unexpected source IPs
- Traffic patterns showing privilege escalation attempts
SIEM Query:
source="maxtime" AND (uri_path="/maxprofile/users/" OR event_type="user_creation") AND user_role!="admin"