CRITICAL🇵🇱 Wersja polska

CVE-2025-26339

CVSS 9.8v3.1pub. 2025-02-12upd. 2025-10-24

A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP requests.

🤖 AI Analysis
How it works

The vulnerability exists in the maxtime/handleRoute.lua file, where critical routing functions are available without an authentication mechanism (CWE-306). An attacker can send crafted HTTP requests directly to the vulnerable endpoint, completely bypassing the access control layer. The lack of required authentication means that any remote user with network access to the device can invoke these functions.

Impact

An attacker can affect the confidentiality, integrity, and availability of the device in many unspecified ways, which may include unauthorized data reading, configuration modification, or disruption of the traffic management system operation.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. It is also recommended to restrict network access to the device through a firewall and implement network segmentation so that the management interface is not accessible from untrusted networks.

Who is affected

Q-Free MaxTime version 2.11.0 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Q Free Maxtime

    APP
    Q-Free
    ≤ 2.11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-26344CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: brak uwierzytelnienia umożliwia włączenie trybu gościa bez hasła

CVE-2025-26342CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: tworzenie kont bez uwierzytelnienia (w tym kont admina)

CVE-2025-1100CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: zakodowane hasło root umożliwia zdalny RCE przez SSH

CVE-2025-26341CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: resetowanie haseł bez uwierzytelnienia (CWE-306)

CVE-2025-26345CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: brak uwierzytelnienia umożliwia zmianę uprawnień grup użytkowników