Platform
other
Component
maxtime
Opgelost in
2.11.1
CVE-2025-26347 identifies a critical vulnerability in Q-Free MaxTime, specifically within the /menu/routes.lua file. This flaw, classified as a CWE-306 (Missing Authentication for Critical Function), allows an unauthenticated remote attacker to modify user permissions. The vulnerability impacts versions 0 through 2.11.0 of MaxTime, and a patch is available in version 2.11.1.
The impact of CVE-2025-26347 is severe. An attacker exploiting this vulnerability can gain unauthorized access to user accounts and escalate privileges within the MaxTime system. This could lead to complete control over the system's configuration, potentially allowing the attacker to manipulate traffic data, disrupt operations, or exfiltrate sensitive information. The lack of authentication for this critical function means that no prior login or authorization is required to execute the permission modification, dramatically increasing the attack surface. This vulnerability is particularly concerning given the potential for widespread deployment of Q-Free MaxTime systems in traffic management infrastructure.
CVE-2025-26347 was publicly disclosed on 2025-02-12. The vulnerability's criticality (CVSS 9.8) and ease of exploitation (no authentication required) suggest a high probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits, but the simplicity of the attack vector makes it likely that exploits will emerge. The vulnerability has been added to the CISA KEV catalog, indicating a significant risk to federal information systems.
Organizations utilizing Q-Free MaxTime in traffic management systems, particularly those with older versions (0–2.11.0) deployed in environments with limited network segmentation, are at significant risk. Shared hosting environments or deployments where user access controls are not rigorously enforced are also particularly vulnerable.
disclosure
Exploit Status
EPSS
0.68% (71% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-26347 is to immediately upgrade Q-Free MaxTime to version 2.11.1 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime requirements, consider implementing strict network segmentation to isolate MaxTime systems from untrusted networks. Review and restrict access to the /menu/routes.lua endpoint using a web application firewall (WAF) or proxy server, blocking any unauthenticated requests. Monitor system logs for suspicious activity, particularly attempts to modify user permissions. After upgrading, confirm the fix by attempting to access the /menu/routes.lua endpoint without authentication and verifying that access is denied.
Werk MaxTime bij naar een versie later dan 2.11.0. Dit corrigeert de ontbrekende authenticatie voor kritieke functies en voorkomt dat niet-geauthenticeerde externe aanvallers gebruikersrechten kunnen bewerken. Raadpleeg de website van de leverancier voor de nieuwste versie en update-instructies.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-26347 is a critical vulnerability in Q-Free MaxTime versions 0–2.11.0 that allows unauthenticated attackers to modify user permissions via HTTP requests, potentially granting unauthorized access.
If you are running Q-Free MaxTime version 0 through 2.11.0, you are affected by this vulnerability and should prioritize upgrading to a patched version.
The recommended fix is to upgrade to Q-Free MaxTime version 2.11.1 or later. As an interim measure, restrict access to the vulnerable endpoint using a WAF or proxy.
While no public exploits are currently available, the vulnerability's ease of exploitation and high severity suggest a high probability of exploitation. Monitoring is crucial.
Refer to the official Q-Free security advisory for detailed information and updates regarding CVE-2025-26347.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.