CVE-2025-26361: Q-free Maxtime Auth Bypass Vulnerability

CVE-2025-26361 Overview

CVE-2025-26361 is a critical authentication bypass vulnerability (CWE-306) affecting Q-Free MaxTime traffic management devices. The flaw exists in the maxprofile/setup/routes.lua component, which fails to enforce authentication for critical administrative functions. This allows unauthenticated remote attackers to perform factory reset operations on affected devices via specially crafted HTTP requests, potentially causing significant operational disruption in traffic management infrastructure.

Critical Impact

Unauthenticated remote attackers can factory reset Q-Free MaxTime devices, resulting in complete loss of device configuration, service disruption, and potential safety hazards in traffic management systems.

Affected Products

• Q-Free MaxTime versions 2.11.0 and earlier
• Traffic management and control systems utilizing Q-Free MaxTime
• Infrastructure deployments with network-exposed MaxTime devices

Discovery Timeline

• 2025-02-12 - CVE-2025-26361 published to NVD
• 2025-10-28 - Last updated in NVD database

Technical Details for CVE-2025-26361

Vulnerability Analysis

This vulnerability stems from a fundamental security design flaw where the maxprofile/setup/routes.lua module fails to implement proper authentication checks before processing critical administrative requests. The factory reset functionality, which should be restricted to authenticated administrators only, is exposed without any credential verification. An attacker with network access to the device can invoke this destructive operation simply by sending appropriately crafted HTTP requests to the vulnerable endpoint.

The impact is particularly severe in operational technology (OT) environments where Q-Free MaxTime devices manage traffic control systems. A successful exploitation results in complete loss of device configuration, returning the system to factory defaults and potentially disrupting traffic management operations.

Root Cause

The root cause is a missing authentication check (CWE-306) in the Lua routing configuration. The routes.lua file handles HTTP request routing for the device's web interface but fails to verify user authentication before allowing access to the factory reset functionality. This represents a critical oversight in access control implementation where a sensitive administrative function lacks the necessary security gate.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

1. Identifying network-accessible Q-Free MaxTime devices (versions ≤ 2.11.0)
2. Crafting HTTP requests targeting the unprotected setup/reset endpoint
3. Sending the malicious request to trigger a factory reset
4. The device resets to factory defaults, clearing all configuration

The attack requires network access to the device's management interface. If the device is exposed to the internet or accessible from an untrusted network segment, the risk of exploitation increases significantly.

Detection Methods for CVE-2025-26361

Indicators of Compromise

• Unexpected factory reset events on Q-Free MaxTime devices
• Loss of device configuration without authorized administrative action
• Unusual HTTP requests to /maxprofile/setup/ endpoints in web server logs
• Network traffic patterns indicating automated scanning of MaxTime management interfaces

Detection Strategies

• Monitor for HTTP requests to MaxTime setup and configuration endpoints from unexpected sources
• Implement network intrusion detection rules to identify unauthenticated requests to critical device functions
• Review device logs for unexpected reset events or configuration changes
• Deploy behavioral monitoring to detect anomalous administrative operations on traffic management devices

Monitoring Recommendations

• Enable comprehensive logging on Q-Free MaxTime devices and centralize log collection
• Implement network segmentation monitoring to detect unauthorized access attempts to OT devices
• Configure alerts for factory reset events or significant configuration changes
• Regularly audit network access to traffic management infrastructure

How to Mitigate CVE-2025-26361

Immediate Actions Required

• Isolate Q-Free MaxTime devices from untrusted networks immediately
• Implement network-level access controls (firewalls, VLANs) to restrict management interface access
• Audit existing MaxTime deployments to identify devices running vulnerable versions (≤ 2.11.0)
• Contact Q-Free support for guidance on available security updates

Patch Information

Consult the Nozomi Networks Vulnerability Advisory for the latest information on available patches and vendor remediation guidance. Organizations should prioritize upgrading to versions newer than 2.11.0 when patches become available from Q-Free.

Workarounds

• Restrict network access to the MaxTime management interface using firewall rules or network segmentation
• Deploy a VPN or jump server requirement for administrative access to traffic management devices
• Implement reverse proxy with authentication in front of the MaxTime web interface
• Disable or block HTTP access to /maxprofile/setup/ paths at the network level if possible

# Example firewall rule to restrict access to MaxTime management interface
# Allow only from trusted management network (adjust IP ranges accordingly)
iptables -A INPUT -p tcp --dport 80 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP