Plateforme
other
Composant
maxtime
Corrigé dans
2.11.1
CVE-2025-26341 describes a critical vulnerability in Q-Free MaxTime, specifically a missing authentication check for password reset functionality. This allows an unauthenticated remote attacker to manipulate HTTP requests and arbitrarily reset user passwords, potentially granting them unauthorized access to accounts. The vulnerability affects versions 0 through 2.11.0, and a patch is available in version 2.11.1.
The impact of CVE-2025-26341 is severe due to the ease of exploitation and the potential for widespread account compromise. An attacker could leverage this vulnerability to gain full control over user accounts within the MaxTime system. This could lead to unauthorized access to sensitive data, modification of system configurations, and potentially even complete system takeover. The lack of authentication means no prior knowledge of user credentials is required, making it a highly accessible attack vector. Successful exploitation could result in significant operational disruption and reputational damage.
CVE-2025-26341 was publicly disclosed on February 12, 2025. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability's simplicity and critical severity suggest it may become a target for opportunistic attackers. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Q-Free MaxTime versions 0 through 2.11.0, particularly those with publicly accessible instances or those lacking robust network segmentation, are at significant risk. Shared hosting environments where multiple users share the same MaxTime instance are also particularly vulnerable.
disclosure
Statut de l'Exploit
EPSS
0.99% (percentile 77%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-26341 is to immediately upgrade Q-Free MaxTime to version 2.11.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting external access to the password reset endpoint or implementing stricter rate limiting to prevent brute-force attempts. Monitor access logs for suspicious activity, particularly requests to the password reset endpoint. After upgrading, confirm the vulnerability is resolved by attempting a password reset request from an unauthenticated source – it should be rejected.
Mettez à jour Q-Free MaxTime à une version supérieure à la 2.11.0. Cela corrigera le manque d'authentification pour la fonction critique de réinitialisation des mots de passe. Consultez l'avis de sécurité du fournisseur pour plus de détails sur la mise à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-26341 is a critical vulnerability in Q-Free MaxTime versions 0–2.11.0 that allows unauthenticated attackers to reset user passwords via HTTP requests.
If you are using Q-Free MaxTime versions 0 through 2.11.0, you are potentially affected by this vulnerability.
Upgrade to Q-Free MaxTime version 2.11.1 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but the vulnerability's severity suggests it may become a target.
Refer to the Q-Free security advisory for detailed information and updates regarding CVE-2025-26341.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.