CVE-2025-26377 – This vulnerability allows authenticated low-pri... (How to Fix)

Q: What is the severity of CVE-2025-26377?

CVE-2025-26377 has a CVSS score of 8.1 (HIGH). This vulnerability allows authenticated low-privileged attackers to delete user accounts in Q-Free MaxTime systems via crafted HTTP requests. It affects all installations running version 2.11.0 or earlier. Organizations using vulnerable versions are at risk of unauthorized user account removal.

📋 TL;DR

This vulnerability allows authenticated low-privileged attackers to delete user accounts in Q-Free MaxTime systems via crafted HTTP requests. It affects all installations running version 2.11.0 or earlier. Organizations using vulnerable versions are at risk of unauthorized user account removal.

💻 Affected Systems

Products:

Q-Free MaxTime

Versions: All versions ≤ 2.11.0

Operating Systems: Any OS running MaxTime

Default Config Vulnerable: ⚠️ Yes

Notes: All standard installations are vulnerable. The vulnerability exists in the maxprofile/users/routes.lua file handling user deletion requests.

📦 What is this software?

Maxtime by Q Free

View all CVEs affecting Maxtime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could delete all user accounts, including administrators, causing complete loss of system access and requiring full system restoration from backups.

🟠

Likely Case

Attackers delete specific user accounts to disrupt operations, remove audit trails, or escalate privileges by eliminating higher-privileged accounts.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to unauthorized deletion of some user accounts requiring manual restoration.

🌐 Internet-Facing: HIGH if MaxTime web interface is exposed to internet, as authenticated attackers can exploit remotely.

🏢 Internal Only: HIGH as authenticated internal users (including low-privileged) can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access but low privileges. Attackers need to craft specific HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version > 2.11.0

Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26377

Restart Required: No

Instructions:

1. Contact Q-Free for patched version >2.11.0. 2. Backup current configuration. 3. Apply the update following vendor instructions. 4. Verify authorization checks are properly implemented.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to MaxTime web interface to authorized users only using firewall rules.

User Privilege Review

all

Review and minimize user accounts with access to MaxTime interface.

🧯 If You Can't Patch

Implement strict network segmentation to isolate MaxTime systems from untrusted networks
Enable detailed logging of all user deletion events and implement alerting for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check MaxTime version via web interface or configuration files. If version ≤2.11.0, system is vulnerable.

Check Version:

Check web interface or configuration files for version information

Verify Fix Applied:

After patching, verify version >2.11.0 and test that low-privileged users cannot delete other user accounts.

📡 Detection & Monitoring

Log Indicators:

Multiple DELETE requests to /maxprofile/users/ endpoints from low-privileged accounts
Unexpected user account deletion events

Network Indicators:

HTTP DELETE requests to user management endpoints from unauthorized sources

SIEM Query:

source="maxtime" AND (method="DELETE" AND uri="/maxprofile/users/*") AND user_privilege="low"

📊 Metadata

CVE ID: CVE-2025-26377

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-862

EPSS Score: 0.27% exploit probability (49.8th percentile)

Published: February 12, 2025

Last Updated: October 28, 2025

🔗 References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26377 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26377, you might also want to check these: