CVE-2025-26364 Overview
CVE-2025-26364 is a missing authentication vulnerability [CWE-306] in Q-Free MaxTime traffic controller software. The flaw exists in the maxprofile/setup/routes.lua component and affects all versions up to and including 2.11.0. An unauthenticated remote attacker can disable the authentication profile server by sending crafted HTTP requests to the affected endpoint. Successful exploitation removes authentication enforcement on the device, exposing downstream administrative functions without requiring credentials, user interaction, or prior network position beyond reachability.
Critical Impact
Unauthenticated attackers with network access can disable the authentication profile server in Q-Free MaxTime, removing identity controls protecting traffic management functions.
Affected Products
- Q-Free MaxTime version 2.11.0
- Q-Free MaxTime versions earlier than 2.11.0
- Deployments using the maxprofile/setup/routes.lua route handler
Discovery Timeline
- 2025-02-12 - CVE-2025-26364 published to NVD with advisory from Nozomi Networks Labs
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2025-26364
Vulnerability Analysis
Q-Free MaxTime is a traffic controller management product deployed in intelligent transportation systems. The vulnerable component is the Lua route handler at maxprofile/setup/routes.lua, which exposes setup functionality over HTTP. The route handler accepts requests that can disable the authentication profile server without verifying caller identity or session state.
Disabling the authentication profile server removes the identity enforcement layer that protects subsequent management operations. After the integrity-impacting action succeeds, downstream functions that previously required authenticated sessions become reachable in an unauthenticated state. The CWE-306 classification reflects that a critical security function lacks any authentication check before execution.
EPSS data places the probability of observed exploitation activity at 0.569% with a percentile of 68.779, indicating moderate predicted exploitation interest relative to the broader CVE corpus.
Root Cause
The root cause is missing authentication enforcement on a privileged route. The Lua route handler in maxprofile/setup/routes.lua processes inbound HTTP requests that change authentication server state. The handler does not validate session tokens, API keys, or any equivalent credential before performing the state change.
Attack Vector
The attack vector is network-based. An attacker reachable over HTTP to the MaxTime management interface sends crafted HTTP requests targeting the vulnerable route. No prior authentication, user interaction, or elevated privileges are required. The attack succeeds when the request triggers the authentication profile server to disable. See the Nozomi Networks Vulnerability Advisory for additional technical detail.
No verified proof-of-concept code is published. The vulnerability
is described in prose only, consistent with available source material.
Detection Methods for CVE-2025-26364
Indicators of Compromise
- Unexpected HTTP requests to the maxprofile/setup/routes endpoint from unfamiliar source addresses
- Authentication profile server transitioning to a disabled state without a corresponding administrative session
- Administrative actions performed against MaxTime without preceding authentication events in logs
Detection Strategies
- Inspect MaxTime web server access logs for HTTP requests targeting maxprofile/setup/routes.lua paths and correlate with authentication state changes
- Alert on transitions of the authentication profile server from enabled to disabled outside of scheduled maintenance windows
- Baseline normal management traffic by source address and time of day, then flag deviations against the management interface
Monitoring Recommendations
- Forward MaxTime application and authentication logs to a central log aggregation platform for correlation
- Monitor network flows to the MaxTime management interface and alert on connections from non-allowlisted sources
- Track configuration state of the authentication profile server as a security-relevant asset attribute
How to Mitigate CVE-2025-26364
Immediate Actions Required
- Restrict network reachability to the MaxTime management interface using firewall rules or VLAN segmentation
- Limit access to the management interface to a defined administrative jump host or management network
- Review MaxTime logs for prior unauthenticated requests to maxprofile/setup/routes.lua and validate authentication server state
- Contact Q-Free for guidance on fixed versions and verify any updates against the Nozomi Networks Vulnerability Advisory
Patch Information
The advisory identifies all versions of Q-Free MaxTime up to and including 2.11.0 as affected. Operators should consult Q-Free directly for a fixed release and apply it according to vendor instructions. Until a fixed release is confirmed deployed, treat the management interface as exposed.
Workarounds
- Place the MaxTime management interface behind a VPN or zero-trust network access broker that enforces authentication upstream of the application
- Apply network access control lists that permit management HTTP traffic only from authorized administrator workstations
- Disable or block external routing to the device's HTTP management port at the perimeter
# Example iptables rule restricting access to the MaxTime management port
# Replace <mgmt_subnet> and <mgmt_port> with environment-specific values
iptables -A INPUT -p tcp --dport <mgmt_port> -s <mgmt_subnet> -j ACCEPT
iptables -A INPUT -p tcp --dport <mgmt_port> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
