Plateforme
other
Composant
maxtime
Corrigé dans
2.11.1
CVE-2025-26347 identifies a critical vulnerability in Q-Free MaxTime, specifically within the /menu/routes.lua file. This flaw, classified as a CWE-306 (Missing Authentication for Critical Function), allows an unauthenticated remote attacker to modify user permissions. The vulnerability impacts versions 0 through 2.11.0 of MaxTime, and a patch is available in version 2.11.1.
The impact of CVE-2025-26347 is severe. An attacker exploiting this vulnerability can gain unauthorized access to user accounts and escalate privileges within the MaxTime system. This could lead to complete control over the system's configuration, potentially allowing the attacker to manipulate traffic data, disrupt operations, or exfiltrate sensitive information. The lack of authentication for this critical function means that no prior login or authorization is required to execute the permission modification, dramatically increasing the attack surface. This vulnerability is particularly concerning given the potential for widespread deployment of Q-Free MaxTime systems in traffic management infrastructure.
CVE-2025-26347 was publicly disclosed on 2025-02-12. The vulnerability's criticality (CVSS 9.8) and ease of exploitation (no authentication required) suggest a high probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits, but the simplicity of the attack vector makes it likely that exploits will emerge. The vulnerability has been added to the CISA KEV catalog, indicating a significant risk to federal information systems.
Organizations utilizing Q-Free MaxTime in traffic management systems, particularly those with older versions (0–2.11.0) deployed in environments with limited network segmentation, are at significant risk. Shared hosting environments or deployments where user access controls are not rigorously enforced are also particularly vulnerable.
disclosure
Statut de l'Exploit
EPSS
0.68% (percentile 71%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-26347 is to immediately upgrade Q-Free MaxTime to version 2.11.1 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime requirements, consider implementing strict network segmentation to isolate MaxTime systems from untrusted networks. Review and restrict access to the /menu/routes.lua endpoint using a web application firewall (WAF) or proxy server, blocking any unauthenticated requests. Monitor system logs for suspicious activity, particularly attempts to modify user permissions. After upgrading, confirm the fix by attempting to access the /menu/routes.lua endpoint without authentication and verifying that access is denied.
Mettez à jour MaxTime à une version postérieure à la 2.11.0. Cela corrigera le manque d'authentification pour les fonctions critiques et empêchera les attaquants distants non authentifiés de modifier les permissions utilisateur. Consultez le site web du fournisseur pour obtenir la dernière version et les instructions de mise à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-26347 is a critical vulnerability in Q-Free MaxTime versions 0–2.11.0 that allows unauthenticated attackers to modify user permissions via HTTP requests, potentially granting unauthorized access.
If you are running Q-Free MaxTime version 0 through 2.11.0, you are affected by this vulnerability and should prioritize upgrading to a patched version.
The recommended fix is to upgrade to Q-Free MaxTime version 2.11.1 or later. As an interim measure, restrict access to the vulnerable endpoint using a WAF or proxy.
While no public exploits are currently available, the vulnerability's ease of exploitation and high severity suggest a high probability of exploitation. Monitoring is crucial.
Refer to the official Q-Free security advisory for detailed information and updates regarding CVE-2025-26347.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.