CVE-2025-26340
Published: 12 February 2025
Summary
CVE-2025-26340 is a high-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires establishment and management of cryptographic keys for JWT signing, preventing the use of hard-coded keys that enable token forgery.
Mandates secure management of authenticators including the cryptographic signing key, mitigating risks from hard-coded secrets in authentication processes.
Ensures timely remediation of the specific hard-coded key flaw in Q-Free MaxTime software, eliminating the authentication bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The hard-coded JWT signing key enables unauthenticated remote attackers to craft forged authentication tokens via HTTP requests, facilitating exploitation of the public-facing management web application (T1190) and forging web credentials (T1606).
NVD Description
A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via crafted HTTP requests.
Deeper analysisAI
CVE-2025-26340 is a CWE-321 vulnerability involving the use of a hard-coded cryptographic key in the JSON Web Token (JWT) signing mechanism of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw affects the authentication process, enabling attackers to forge valid JWTs due to the static key, which undermines the integrity of signed tokens.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity, requiring user interaction such as clicking a crafted link or opening a malicious request. Successful exploitation allows bypassing authentication entirely, granting high-impact access to confidential data (C:H), modification of system integrity (I:H), and potential disruption of availability (A:H), as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26340, which was released alongside the CVE publication on 2025-02-12.
Details
- CWE(s)