Cyber Resilience

CVE-2025-26356

High

Published: 12 February 2025

Published
12 February 2025
Modified
28 October 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0175 83.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26356 is a high-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Q-Free Maxtime. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 17.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26356 is a path traversal vulnerability (CWE-35) located in the setActive endpoint of maxtime/api/database/database.lua within Q-Free MaxTime versions up to and including 2.11.0. The flaw permits an authenticated remote attacker to supply crafted HTTP requests that traverse directories and overwrite arbitrary sensitive files on the affected system. It carries a CVSS 3.1 base score of 7.2 reflecting network attack vector, low complexity, high-privileged access requirements, and high impact across confidentiality, integrity, and availability.

An authenticated remote attacker with administrative credentials can exploit the endpoint to replace critical files, potentially leading to configuration tampering, service disruption, or further system compromise. The attack requires no user interaction and can be executed over the network.

The sole reference points to a Nozomi Networks advisory that details the issue for Q-Free MaxTime.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0304 before settling at the current value of 0.0175, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal enables arbitrary overwrite of sensitive files, facilitating exploitation for privilege escalation (T1068), data destruction through overwriting/corruption (T1485), and stored data manipulation (T1565.001).

CVEs Like This One

CVE-2025-26354Same product: Q-Free Maxtime
CVE-2025-26346Same product: Q-Free Maxtime
CVE-2025-26348Same product: Q-Free Maxtime
CVE-2025-26371Same product: Q-Free Maxtime
CVE-2025-26369Same product: Q-Free Maxtime
CVE-2025-26361Same product: Q-Free Maxtime
CVE-2025-26342Same product: Q-Free Maxtime
CVE-2025-26368Same product: Q-Free Maxtime
CVE-2025-26375Same product: Q-Free Maxtime
CVE-2025-26378Same product: Q-Free Maxtime

Affected Assets

q-free
maxtime
≤ 2.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal by requiring validation of inputs to the setActive endpoint to reject crafted paths that enable overwriting sensitive files.

prevent

Remediates the specific path traversal flaw in maxtime/api/database/database.lua through timely patching or code correction to prevent exploitation.

prevent

Enforces least privilege to restrict access to the high-privilege setActive endpoint, limiting who can attempt file overwrite exploits.

References