CVE-2025-26353
Published: 12 February 2025
Summary
CVE-2025-26353 is a medium-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Q-Free Maxtime. Its CVSS base score is 4.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4165
Vulnerability details
A CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal allows arbitrary sensitive file reads from the local system, facilitating data collection from local system (T1005), file and directory discovery (T1083), unsecured credentials in files (T1552.001), and specifically /etc/passwd and /etc/shadow dumping (T1003.008).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.