CVE-2025-26350

Medium

Published: 12 February 2025

Published

12 February 2025

Modified

24 October 2025

KEV Added

—

Patch

—

CVSS Score 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0010 27.2th percentile

Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26350 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Q-Free Maxtime. Its CVSS base score is 4.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Web Shell (T1505.003) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates the type and content of uploaded template files to prevent unrestricted upload of dangerous file types as described in this CWE-434 vulnerability.

SI-9 Information Input Restrictions good match

prevent

Restricts the types of files accepted by the template upload component, blocking malicious files from high-privilege authenticated attackers.

SI-2 Flaw Remediation good match

prevent

Remediates the specific unrestricted file upload flaw in Q-Free MaxTime <= 2.11.0 through timely patching and flaw correction.

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

T1608.001 Upload Malware Resource Development

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting.

attack.mitre.org →

Why these techniques?

Unrestricted upload of dangerous files to template uploads enables exploitation of public-facing web applications (T1190), web shell deployment (T1100), template injection via malicious templates (T1221), and malware staging through file uploads (T1608.001), potentially leading to arbitrary file overwrites and system compromise.

NVD Description

A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests.

Deeper analysisAI

CVE-2025-26350, published on 2025-02-12, is a CWE-434 unrestricted upload of file with dangerous type vulnerability in the template file uploads component of Q-Free MaxTime versions less than or equal to 2.11.0. It enables an authenticated remote attacker to upload malicious files through crafted HTTP requests. The vulnerability has a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), indicating medium severity with high integrity impact but no effects on confidentiality or availability.

An attacker requires high privileges (PR:H) to exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows uploading arbitrary malicious files, potentially leading to integrity violations such as executing unauthorized code or altering system templates within the affected MaxTime instance.

Mitigation details are available in the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26350.

Details

CWE(s): CWE-434

Affected Products

q-free

maxtime

≤ 2.11.0

CVEs Like This One

CVE-2025-26349Same product: Q-Free Maxtime

CVE-2025-1102Same product: Q-Free Maxtime

CVE-2025-26366Same product: Q-Free Maxtime

CVE-2025-26344Same product: Q-Free Maxtime

CVE-2025-26362Same product: Q-Free Maxtime

CVE-2025-26365Same product: Q-Free Maxtime

CVE-2025-26363Same product: Q-Free Maxtime

CVE-2025-26359Same product: Q-Free Maxtime

CVE-2025-26339Same product: Q-Free Maxtime

CVE-2025-26347Same product: Q-Free Maxtime

References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26350
Third Party Advisory · prodsec@nozominetworks.com