平台
other
组件
maxtime
修复版本
2.11.1
CVE-2025-26347 identifies a critical vulnerability in Q-Free MaxTime, specifically within the /menu/routes.lua file. This flaw, classified as a CWE-306 (Missing Authentication for Critical Function), allows an unauthenticated remote attacker to modify user permissions. The vulnerability impacts versions 0 through 2.11.0 of MaxTime, and a patch is available in version 2.11.1.
The impact of CVE-2025-26347 is severe. An attacker exploiting this vulnerability can gain unauthorized access to user accounts and escalate privileges within the MaxTime system. This could lead to complete control over the system's configuration, potentially allowing the attacker to manipulate traffic data, disrupt operations, or exfiltrate sensitive information. The lack of authentication for this critical function means that no prior login or authorization is required to execute the permission modification, dramatically increasing the attack surface. This vulnerability is particularly concerning given the potential for widespread deployment of Q-Free MaxTime systems in traffic management infrastructure.
CVE-2025-26347 was publicly disclosed on 2025-02-12. The vulnerability's criticality (CVSS 9.8) and ease of exploitation (no authentication required) suggest a high probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits, but the simplicity of the attack vector makes it likely that exploits will emerge. The vulnerability has been added to the CISA KEV catalog, indicating a significant risk to federal information systems.
Organizations utilizing Q-Free MaxTime in traffic management systems, particularly those with older versions (0–2.11.0) deployed in environments with limited network segmentation, are at significant risk. Shared hosting environments or deployments where user access controls are not rigorously enforced are also particularly vulnerable.
disclosure
漏洞利用状态
EPSS
0.68% (71% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-26347 is to immediately upgrade Q-Free MaxTime to version 2.11.1 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime requirements, consider implementing strict network segmentation to isolate MaxTime systems from untrusted networks. Review and restrict access to the /menu/routes.lua endpoint using a web application firewall (WAF) or proxy server, blocking any unauthenticated requests. Monitor system logs for suspicious activity, particularly attempts to modify user permissions. After upgrading, confirm the fix by attempting to access the /menu/routes.lua endpoint without authentication and verifying that access is denied.
将 MaxTime 更新到 2.11.0 之后的版本。这将修复关键功能的身份验证缺失,并防止未经验证的远程攻击者编辑用户权限。请参阅供应商网站以获取最新版本和升级说明。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-26347 is a critical vulnerability in Q-Free MaxTime versions 0–2.11.0 that allows unauthenticated attackers to modify user permissions via HTTP requests, potentially granting unauthorized access.
If you are running Q-Free MaxTime version 0 through 2.11.0, you are affected by this vulnerability and should prioritize upgrading to a patched version.
The recommended fix is to upgrade to Q-Free MaxTime version 2.11.1 or later. As an interim measure, restrict access to the vulnerable endpoint using a WAF or proxy.
While no public exploits are currently available, the vulnerability's ease of exploitation and high severity suggest a high probability of exploitation. Monitoring is crucial.
Refer to the official Q-Free security advisory for detailed information and updates regarding CVE-2025-26347.