CVE-2025-1100
Published: 12 February 2025
Summary
CVE-2025-1100 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-1100 is a CWE-259 use of hard-coded password vulnerability affecting the root account in Q-Free MaxTime versions less than or equal to 2.11.0. The issue is present in the product's SSH service and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can connect directly to the SSH interface and authenticate with the embedded root credentials. Once logged in, the attacker obtains root privileges and can execute arbitrary code on the affected system.
The EPSS score rose from a low baseline to a recorded peak of 0.0311, indicating that exploitation interest increased after public disclosure. A technical advisory describing the issue is published by Nozomi Networks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2002
Vulnerability details
A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded root password enables default account abuse (T1078.001) for unauthenticated remote access via exposed SSH service (T1133, T1190), resulting in root-level arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires the management of authenticators including prohibitions on hard-coded passwords, directly preventing exploitation of the root account credential in this CVE.
SI-2 mandates identification, reporting, and correction of system flaws like this hard-coded password vulnerability through patching or equivalent remediation.
AC-2 provides for account management practices that disable unnecessary privileged accounts or remove default credentials, mitigating remote root access via SSH.