Q-Free MaxTime, Missing Authorization Vulnerability, CVE-2025-26367 Critical

By /

How the Mentioned CVE Works:

CVE-2025-26367 is a critical vulnerability in Q-Free MaxTime versions 2.11.0 and earlier. It stems from a Missing Authorization CWE-862 flaw in the `maxprofile/user-groups/routes.lua` file. This vulnerability allows an authenticated attacker with low privileges to create arbitrary user groups by sending crafted HTTP requests. The lack of proper authorization checks enables unauthorized actions, potentially leading to privilege escalation or unauthorized access to sensitive functionalities. The CVSS 4.0 score reflects its critical severity due to the potential impact on system integrity and confidentiality.

DailyCVE Form:

Platform: Q-Free MaxTime
Version: <= 2.11.0
Vulnerability: Missing Authorization
Severity: Critical
Date: 02/12/2025

What Undercode Say:

Exploitation:

  1. Crafted HTTP Request: Attackers can exploit this vulnerability by sending a specially crafted HTTP POST request to the `/maxprofile/user-groups/routes.lua` endpoint.

2. Payload Example:

[http]
POST /maxprofile/user-groups/routes.lua HTTP/1.1
Host: target.com
Content-Type: application/json
Authorization: Bearer
{
“group_name”: “admin_group”,
“permissions”: [“admin”]
}
[/http]
3. Privilege Escalation: Successful exploitation allows attackers to create high-privilege user groups, bypassing intended restrictions.

Protection:

  1. Patch Update: Upgrade to Q-Free MaxTime version 2.11.1 or later, which includes proper authorization checks.
  2. Input Validation: Implement strict input validation and sanitization for user-group creation endpoints.
  3. Access Control: Enforce role-based access control RBAC to restrict low-privileged users from performing sensitive actions.
  4. Monitoring: Monitor HTTP requests to `/maxprofile/user-groups/routes.lua` for unusual activity.

Commands:

1. Check Version:

curl -X GET http://target.com/api/version

2. Apply Patch:

sudo apt-get update && sudo apt-get install qfreemaxtime

References:

  • [Q-Free MaxTime Patch Notes]https://qfreemaxtime.com/patches
  • [CVE-2025-26367 NVD Entry]https://nvd.nist.gov/vuln/detail/CVE-2025-26367
  • [Nozomi Networks Advisory]https://nozominetworks.com/advisories/CVE-2025-26367

Analytics:

  • Exploitability: High requires low-privilege access
  • Impact: Critical privilege escalation, unauthorized access
  • Affected Systems: Q-Free MaxTime <= 2.11.0
  • Mitigation Difficulty: Low patch available
    By following these steps, organizations can mitigate the risks associated with CVE-2025-26367 and secure their Q-Free MaxTime installations.

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-26367
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2Featured Image

Scroll to Top