Q-Free MaxTime, Missing Authorization Vulnerability, CVE-2025-26375 Critical

By /

How the CVE Works:

CVE-2025-26375 is a critical vulnerability in Q-Free MaxTime versions 2.11.0 and earlier. It stems from a Missing Authorization CWE-862 flaw in the `maxprofile/users/routes.lua` file. An authenticated attacker with low privileges can exploit this vulnerability by sending crafted HTTP requests to create users with arbitrary privileges. This bypasses the intended authorization checks, allowing unauthorized elevation of privileges. The CVSS 4.0 score reflects its critical severity due to the potential for significant system compromise.

DailyCVE Form:

Platform: Q-Free MaxTime
Version: <= 2.11.0
Vulnerability: Missing Authorization
Severity: Critical
Date: 02/12/2025

What Undercode Say:

Exploitation:

  1. Crafting HTTP Requests: Attackers can use tools like `curl` or `Postman` to send malicious HTTP POST requests to the `/maxprofile/users` endpoint. 
    curl -X POST -H "Content-Type: application/json" -d '{"username":"attacker","privileges":"admin"}' http://target/maxprofile/users
  2. Privilege Escalation: By manipulating the `privileges` field, attackers can assign themselves or others admin-level access.

Protection:

  1. Patch Application: Upgrade to a version beyond 2.11.0 if a patch is released.
  2. Input Validation: Implement strict input validation on the `/maxprofile/users` endpoint. 
    if not is_authorizedrequest.user then
return error"Unauthorized"
end
  3. Authorization Checks: Ensure all user creation requests are validated against proper role-based access controls RBAC. 
    function is_authorizeduser
return user.role == "admin"
end
  4. Network Segmentation: Restrict access to the MaxTime application to trusted IPs.
  5. Monitoring: Use tools like WAFs Web Application Firewalls to detect and block suspicious HTTP requests.

Analytics:

  • Exploit Likelihood: High, due to the ease of crafting HTTP requests.
  • Impact: Critical, as it allows full system compromise.
  • Affected Systems: Q-Free MaxTime installations <= 2.11.0.

References:

  • [NVD Entry]https://nvd.nist.gov/vuln/detail/CVE-2025-26375
  • [Q-Free Security Advisory]https://q-free.com/security
  • [CWE-862 Details]https://cwe.mitre.org/data/definitions/862.html

Tools:

  • Metasploit Module: Potential module for exploiting CVE-2025-26375.
  • Nmap Script: Custom script to detect vulnerable versions. 
    nmap -p 80 --script=maxtime-cve-2025-26375 <target>

Code Snippet for Mitigation:

-- Example of secure user creation in routes.lua
local function create_userrequest
if not is_authorizedrequest.user then
return error"Unauthorized"
end
-- Proceed with user creation
end

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-26375
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2Featured Image

Scroll to Top