CVE-2025-26349
Published: 12 February 2025
Summary
CVE-2025-26349 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Q-Free Maxtime. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked in the top 34.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26349 is a relative path traversal vulnerability (CWE-23) in the file upload mechanism of Q-Free MaxTime versions up to and including 2.11.0. The flaw permits an authenticated remote attacker to supply crafted HTTP requests that traverse directories and overwrite arbitrary files on the affected system. It carries a CVSS 3.1 base score of 7.2, reflecting network attack vector, low complexity, and high impact across confidentiality, integrity, and availability when high privileges are present.
An attacker who already possesses valid administrative credentials can exploit the issue remotely without user interaction to replace critical files, potentially leading to configuration tampering, service disruption, or further privilege escalation on the MaxTime instance.
The single referenced advisory from Nozomi Networks documents the finding but supplies no additional mitigation details in the available record. EPSS for the CVE rose from a low baseline to a peak of 0.0319 on 2026-03-24 before receding to the current value of 0.0047, indicating a temporary increase in exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4161
Vulnerability details
A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in file upload enables arbitrary file overwrites, facilitating ingress tool transfer (T1105), exploitation of public-facing app (T1190), web shell deployment (T1505.003), and binary compromise (T1554).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates file paths and filenames in upload requests to block relative path traversal exploits like CWE-23.
Remediates the specific path traversal flaw in Q-Free MaxTime's file upload mechanism through timely patching.
Verifies integrity of critical files to detect unauthorized overwrites from successful path traversal exploitation.