在 Q-Free MaxTime 小于或等于版本 2.11.0 的 maxprofile/menu/routes.lua 中存在 CWE-306 "关键功能缺失身份验证" 漏洞，允许未经验证的远程攻击者编辑用户权限。

The impact of CVE-2025-26347 is severe. An attacker exploiting this vulnerability can gain unauthorized access to user accounts and escalate privileges within the MaxTime system. This could lead to complete control over the system's configuration, potentially allowing the attacker to manipulate traffic data, disrupt operations, or exfiltrate sensitive information. The lack of authentication for this critical function means that no prior login or authorization is required to execute the permission modification, dramatically increasing the attack surface. This vulnerability is particularly concerning given the potential for widespread deployment of Q-Free MaxTime systems in traffic management infrastructure.

Organizations utilizing Q-Free MaxTime in traffic management systems, particularly those with older versions (0–2.11.0) deployed in environments with limited network segmentation, are at significant risk. Shared hosting environments or deployments where user access controls are not rigorously enforced are also particularly vulnerable.

1. 2025-02-12Disclosure

   disclosure

1. 已保留2025-02-07
2. 发布日期2025-02-12
3. 修改日期2025-02-17
4. EPSS 更新日期2026-04-02

The primary mitigation for CVE-2025-26347 is to immediately upgrade Q-Free MaxTime to version 2.11.1 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime requirements, consider implementing strict network segmentation to isolate MaxTime systems from untrusted networks. Review and restrict access to the /menu/routes.lua endpoint using a web application firewall (WAF) or proxy server, blocking any unauthenticated requests. Monitor system logs for suspicious activity, particularly attempts to modify user permissions. After upgrading, confirm the fix by attempting to access the /menu/routes.lua endpoint without authentication and verifying that access is denied.