Cyber Posture

CVE-2025-1100

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0185 83.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1100 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 requires the management of authenticators including prohibitions on hard-coded passwords, directly preventing exploitation of the root account credential in this CVE.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates identification, reporting, and correction of system flaws like this hard-coded password vulnerability through patching or equivalent remediation.

AC-2 Account Management partial match
prevent

AC-2 provides for account management practices that disable unnecessary privileged accounts or remove default credentials, mitigating remote root access via SSH.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Hard-coded root password enables default account abuse (T1078.001) for unauthenticated remote access via exposed SSH service (T1133, T1190), resulting in root-level arbitrary code execution.

NVD Description

A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.

Deeper analysisAI

CVE-2025-1100, published on 2025-02-12, is a critical vulnerability with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Q-Free MaxTime versions less than or equal to 2.11.0. The issue is classified as CWE-259, involving the use of a hard-coded password for the root account. This flaw allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.

Any unauthenticated attacker with network access to the affected system can exploit this vulnerability by authenticating over SSH using the hard-coded root password. Successful exploitation grants full root-level access, enabling arbitrary code execution that can result in complete compromise of the system, including high impacts to confidentiality, integrity, and availability.

Mitigation details are available in the advisory from Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-1100.

Details

CWE(s)
CWE-259

Affected Products

q-free
maxtime
≤ 2.11.0

CVEs Like This One

CVE-2025-26363Same product: Q-Free Maxtime
CVE-2025-26344Same product: Q-Free Maxtime
CVE-2025-1102Same product: Q-Free Maxtime
CVE-2025-26362Same product: Q-Free Maxtime
CVE-2025-26365Same product: Q-Free Maxtime
CVE-2025-26366Same product: Q-Free Maxtime
CVE-2025-26347Same product: Q-Free Maxtime
CVE-2025-26372Same product: Q-Free Maxtime
CVE-2025-26339Same product: Q-Free Maxtime
CVE-2025-26340Same product: Q-Free Maxtime

References