Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-26371

CVE-2025-26371: Q-free Maxtime Auth Bypass Vulnerability

CVE-2025-26371 is an authorization bypass flaw in Q-free Maxtime that allows low-privileged attackers to add users to groups without proper authorization. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-26371 Overview

CVE-2025-26371 is a missing authorization vulnerability [CWE-862] in Q-Free MaxTime traffic management software. The flaw resides in maxprofile/user-groups/routes.lua and affects versions less than or equal to 2.11.0. An authenticated attacker with low privileges can add users to arbitrary groups by sending crafted HTTP requests. The vulnerability enables horizontal and vertical privilege escalation within the MaxTime application. Successful exploitation grants unauthorized access to functions reserved for higher-privileged group memberships, compromising confidentiality, integrity, and availability of the system.

Critical Impact

Authenticated low-privileged attackers can escalate privileges by assigning users to administrative groups through unauthorized HTTP requests to the user-groups endpoint.

Affected Products

  • Q-Free MaxTime version 2.11.0 and earlier
  • maxprofile/user-groups/routes.lua component
  • Q-Free traffic management infrastructure deployments

Discovery Timeline

  • 2025-02-12 - CVE-2025-26371 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-26371

Vulnerability Analysis

The vulnerability stems from missing authorization checks in the user-groups route handler within Q-Free MaxTime. The application authenticates the requesting user but fails to verify whether that user holds sufficient privileges to modify group membership. Any authenticated session, regardless of role, can invoke the endpoint to add accounts to privileged groups.

This weakness aligns with [CWE-862] Missing Authorization. The route accepts group modification requests without validating the caller against an authorization policy. Attackers can elevate their own account or attacker-controlled accounts into administrative groups, bypassing the application's role-based access model.

Once a low-privileged account joins a privileged group, the attacker inherits all permissions associated with that group. This includes access to sensitive configuration, user management, and operational controls within the traffic management platform.

Root Cause

The root cause is the absence of a privilege check inside maxprofile/user-groups/routes.lua before processing group membership changes. The handler trusts the authenticated session without enforcing role-based authorization on the requested action. See the Nozomi Networks Security Advisory for additional technical details.

Attack Vector

Exploitation requires network access to the MaxTime web interface and valid low-privileged credentials. The attacker authenticates, then issues a crafted HTTP request targeting the user-groups route to assign a user account to a higher-privileged group. No user interaction is required. After group assignment, the attacker logs in with the elevated account or refreshes the session to exercise the new privileges.

Detection Methods for CVE-2025-26371

Indicators of Compromise

  • Unexpected HTTP requests to maxprofile/user-groups/routes from low-privileged user sessions
  • Unauthorized additions to administrative or privileged groups in MaxTime audit logs
  • New or modified group memberships occurring outside of change management windows
  • User accounts gaining privileged group access without corresponding administrator approval

Detection Strategies

  • Monitor application logs for group membership modification events and correlate them against the requesting user's role
  • Implement web application firewall rules that flag user-group modification requests originating from non-administrative sessions
  • Compare current group membership snapshots against baseline configurations to identify unauthorized additions

Monitoring Recommendations

  • Enable verbose audit logging for all maxprofile/user-groups endpoint activity
  • Forward MaxTime authentication and authorization events to a centralized SIEM for correlation
  • Alert on privilege changes performed by accounts that lack administrator role assignments
  • Review session activity logs for unusual API call patterns following user authentication

How to Mitigate CVE-2025-26371

Immediate Actions Required

  • Upgrade Q-Free MaxTime to a version higher than 2.11.0 once a fixed release is available from the vendor
  • Audit all existing user-group memberships and revoke unauthorized assignments
  • Rotate credentials for any account suspected of being used to exploit the endpoint
  • Restrict network access to the MaxTime management interface to trusted administrative networks only

Patch Information

No vendor advisory URL is listed in the CVE record. Administrators should contact Q-Free directly and reference the Nozomi Networks Security Advisory for remediation guidance and patch availability for versions above 2.11.0.

Workarounds

  • Limit account provisioning so that low-privileged users cannot authenticate to the MaxTime application unless required
  • Place the MaxTime web interface behind a reverse proxy that enforces additional authorization checks on user-group routes
  • Apply network segmentation to isolate MaxTime from general-purpose user networks
  • Conduct regular reviews of group membership and remove accounts that no longer require elevated access
bash
# Configuration example: restrict access to MaxTime management interface
# Example nginx reverse proxy rule blocking user-groups route from untrusted networks
location /maxprofile/user-groups/ {
    allow 10.0.0.0/24;   # administrative subnet
    deny all;
    proxy_pass http://maxtime-backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.