Cyber Resilience

CVE-2025-1100

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0185 83.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1100 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability in Q-Free Maxtime. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1100 is a CWE-259 use of hard-coded password vulnerability affecting the root account in Q-Free MaxTime versions less than or equal to 2.11.0. The issue is present in the product's SSH service and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can connect directly to the SSH interface and authenticate with the embedded root credentials. Once logged in, the attacker obtains root privileges and can execute arbitrary code on the affected system.

The EPSS score rose from a low baseline to a recorded peak of 0.0311, indicating that exploitation interest increased after public disclosure. A technical advisory describing the issue is published by Nozomi Networks.

EU & UK References

Vulnerability details

A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Hard-coded root password enables default account abuse (T1078.001) for unauthenticated remote access via exposed SSH service (T1133, T1190), resulting in root-level arbitrary code execution.

CVEs Like This One

CVE-2025-26344Same product: Q-Free Maxtime
CVE-2025-1102Same product: Q-Free Maxtime
CVE-2025-26363Same product: Q-Free Maxtime
CVE-2025-26365Same product: Q-Free Maxtime
CVE-2025-26366Same product: Q-Free Maxtime
CVE-2025-26362Same product: Q-Free Maxtime
CVE-2025-26347Same product: Q-Free Maxtime
CVE-2025-26339Same product: Q-Free Maxtime
CVE-2025-26359Same product: Q-Free Maxtime
CVE-2025-26372Same product: Q-Free Maxtime

Affected Assets

q-free
maxtime
≤ 2.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires the management of authenticators including prohibitions on hard-coded passwords, directly preventing exploitation of the root account credential in this CVE.

prevent

SI-2 mandates identification, reporting, and correction of system flaws like this hard-coded password vulnerability through patching or equivalent remediation.

prevent

AC-2 provides for account management practices that disable unnecessary privileged accounts or remove default credentials, mitigating remote root access via SSH.

References