CRITICAL🇵🇱 Wersja polska

CVE-2025-1100

CVSS 9.8v3.1pub. 2025-02-12upd. 2025-10-24

A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.

🤖 AI Analysis
How it works

The vulnerability results from the manufacturer's use of a static, hardcoded password for the root account in Q-Free MaxTime software. Since the password is identical across all product installations and cannot be changed by the user, an attacker with knowledge of this password can authenticate to the SSH service without any additional privileges. After logging in, the attacker gains full control of the system with the highest privileges.

Impact

Attackers gain unlimited access to the system with root privileges, enabling arbitrary code execution, data modification or deletion, malware installation, and complete device takeover.

Mitigation & patch

Apply patches available from the manufacturer according to references. Additionally, it is recommended to restrict SSH port access only to trusted IP addresses at the firewall level and monitor SSH login attempts until the patch is deployed.

Who is affected

Q-Free MaxTime version 2.11.0 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Q Free Maxtime

    APP
    Q-Free
    ≤ 2.11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-26344CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: brak uwierzytelnienia umożliwia włączenie trybu gościa bez hasła

CVE-2025-26339CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia dla krytycznej funkcji w Q-Free MaxTime

CVE-2025-26342CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: tworzenie kont bez uwierzytelnienia (w tym kont admina)

CVE-2025-26341CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: resetowanie haseł bez uwierzytelnienia (CWE-306)

CVE-2025-26345CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: brak uwierzytelnienia umożliwia zmianę uprawnień grup użytkowników