Cyber Resilience

CVE-2025-26349

High

Published: 12 February 2025

Published
12 February 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 65.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26349 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Q-Free Maxtime. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked in the top 34.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26349 is a relative path traversal vulnerability (CWE-23) in the file upload mechanism of Q-Free MaxTime versions up to and including 2.11.0. The flaw permits an authenticated remote attacker to supply crafted HTTP requests that traverse directories and overwrite arbitrary files on the affected system. It carries a CVSS 3.1 base score of 7.2, reflecting network attack vector, low complexity, and high impact across confidentiality, integrity, and availability when high privileges are present.

An attacker who already possesses valid administrative credentials can exploit the issue remotely without user interaction to replace critical files, potentially leading to configuration tampering, service disruption, or further privilege escalation on the MaxTime instance.

The single referenced advisory from Nozomi Networks documents the finding but supplies no additional mitigation details in the available record. EPSS for the CVE rose from a low baseline to a peak of 0.0319 on 2026-03-24 before receding to the current value of 0.0047, indicating a temporary increase in exploitation interest after public disclosure.

EU & UK References

Vulnerability details

A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1554 Compromise Host Software Binary Persistence
Adversaries may modify host software binaries to establish persistent access to systems.
Why these techniques?

Path traversal in file upload enables arbitrary file overwrites, facilitating ingress tool transfer (T1105), exploitation of public-facing app (T1190), web shell deployment (T1505.003), and binary compromise (T1554).

CVEs Like This One

CVE-2025-26350Same product: Q-Free Maxtime
CVE-2025-1102Same product: Q-Free Maxtime
CVE-2025-26366Same product: Q-Free Maxtime
CVE-2025-26363Same product: Q-Free Maxtime
CVE-2025-26365Same product: Q-Free Maxtime
CVE-2025-26344Same product: Q-Free Maxtime
CVE-2025-26362Same product: Q-Free Maxtime
CVE-2025-26339Same product: Q-Free Maxtime
CVE-2025-26359Same product: Q-Free Maxtime
CVE-2025-26340Same product: Q-Free Maxtime

Affected Assets

q-free
maxtime
≤ 2.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates file paths and filenames in upload requests to block relative path traversal exploits like CWE-23.

prevent

Remediates the specific path traversal flaw in Q-Free MaxTime's file upload mechanism through timely patching.

detect

Verifies integrity of critical files to detect unauthorized overwrites from successful path traversal exploitation.

References