Scan free
CRITICALCVE-2025-26347CVSS 9.8

CVE-2025-26347: Missing Authentication in Q-Free MaxTime

Platform

other

Component

maxtime

Fixed in

2.11.1

AI Confidence: highNVDEPSS 0.7%Reviewed: May 2026
View on NVD
Save

CVE-2025-26347 identifies a critical vulnerability in Q-Free MaxTime, specifically within the /menu/routes.lua file. This flaw, classified as a CWE-306 (Missing Authentication for Critical Function), allows an unauthenticated remote attacker to modify user permissions. The vulnerability impacts versions 0 through 2.11.0 of MaxTime, and a patch is available in version 2.11.1.

Impact and Attack Scenarios

The impact of CVE-2025-26347 is severe. An attacker exploiting this vulnerability can gain unauthorized access to user accounts and escalate privileges within the MaxTime system. This could lead to complete control over the system's configuration, potentially allowing the attacker to manipulate traffic data, disrupt operations, or exfiltrate sensitive information. The lack of authentication for this critical function means that no prior login or authorization is required to execute the permission modification, dramatically increasing the attack surface. This vulnerability is particularly concerning given the potential for widespread deployment of Q-Free MaxTime systems in traffic management infrastructure.

Exploitation Context

CVE-2025-26347 was publicly disclosed on 2025-02-12. The vulnerability's criticality (CVSS 9.8) and ease of exploitation (no authentication required) suggest a high probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits, but the simplicity of the attack vector makes it likely that exploits will emerge. The vulnerability has been added to the CISA KEV catalog, indicating a significant risk to federal information systems.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.68% (71% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentmaxtime
VendorQ-Free
Affected rangeFixed in
0 – 2.11.02.11.1

Weakness Classification (CWE)

CWE-306

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-26347 is to immediately upgrade Q-Free MaxTime to version 2.11.1 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime requirements, consider implementing strict network segmentation to isolate MaxTime systems from untrusted networks. Review and restrict access to the /menu/routes.lua endpoint using a web application firewall (WAF) or proxy server, blocking any unauthenticated requests. Monitor system logs for suspicious activity, particularly attempts to modify user permissions. After upgrading, confirm the fix by attempting to access the /menu/routes.lua endpoint without authentication and verifying that access is denied.

How to fix

Update MaxTime to a version later than 2.11.0. This will correct the missing authentication for critical functions and prevent unauthenticated remote attackers from editing user permissions. Refer to the vendor's website for the latest version and upgrade instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-26347 — Missing Authentication in Q-Free MaxTime?

CVE-2025-26347 is a critical vulnerability in Q-Free MaxTime versions 0–2.11.0 that allows unauthenticated attackers to modify user permissions via HTTP requests, potentially granting unauthorized access.

Am I affected by CVE-2025-26347 in Q-Free MaxTime?

If you are running Q-Free MaxTime version 0 through 2.11.0, you are affected by this vulnerability and should prioritize upgrading to a patched version.

How do I fix CVE-2025-26347 in Q-Free MaxTime?

The recommended fix is to upgrade to Q-Free MaxTime version 2.11.1 or later. As an interim measure, restrict access to the vulnerable endpoint using a WAF or proxy.

Is CVE-2025-26347 being actively exploited?

While no public exploits are currently available, the vulnerability's ease of exploitation and high severity suggest a high probability of exploitation. Monitoring is crucial.

Where can I find the official Q-Free advisory for CVE-2025-26347?

Refer to the official Q-Free security advisory for detailed information and updates regarding CVE-2025-26347.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs