Cyber Resilience

CVE-2025-26340

High

Published: 12 February 2025

Published
12 February 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0019 41.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26340 is a high-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Q-Free Maxtime. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Deeper analysis

CVE-2025-26340 is a CWE-321 vulnerability involving the use of a hard-coded cryptographic key in the JSON Web Token (JWT) signing mechanism of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw affects the authentication process, enabling attackers to forge valid JWTs due to the static key, which undermines the integrity of signed tokens.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity, requiring user interaction such as clicking a crafted link or opening a malicious request. Successful exploitation allows bypassing authentication entirely, granting high-impact access to confidential data (C:H), modification of system integrity (I:H), and potential disruption of availability (A:H), as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26340, which was released alongside the CVE publication on 2025-02-12.

EU & UK References

Vulnerability details

A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via crafted HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

The hard-coded JWT signing key enables unauthenticated remote attackers to craft forged authentication tokens via HTTP requests, facilitating exploitation of the public-facing management web application (T1190) and forging web credentials (T1606).

CVEs Like This One

CVE-2025-26344Same product: Q-Free Maxtime
CVE-2025-1102Same product: Q-Free Maxtime
CVE-2025-26363Same product: Q-Free Maxtime
CVE-2025-26365Same product: Q-Free Maxtime
CVE-2025-26366Same product: Q-Free Maxtime
CVE-2025-26362Same product: Q-Free Maxtime
CVE-2025-26347Same product: Q-Free Maxtime
CVE-2025-26339Same product: Q-Free Maxtime
CVE-2025-26359Same product: Q-Free Maxtime
CVE-2025-26372Same product: Q-Free Maxtime

Affected Assets

q-free
maxtime
≤ 2.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires establishment and management of cryptographic keys for JWT signing, preventing the use of hard-coded keys that enable token forgery.

prevent

Mandates secure management of authenticators including the cryptographic signing key, mitigating risks from hard-coded secrets in authentication processes.

preventrecover

Ensures timely remediation of the specific hard-coded key flaw in Q-Free MaxTime software, eliminating the authentication bypass vulnerability.

References