CVE-2025-26356
Published: 12 February 2025
Summary
CVE-2025-26356 is a high-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Q-Free Maxtime. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 17.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26356 is a path traversal vulnerability (CWE-35) located in the setActive endpoint of maxtime/api/database/database.lua within Q-Free MaxTime versions up to and including 2.11.0. The flaw permits an authenticated remote attacker to supply crafted HTTP requests that traverse directories and overwrite arbitrary sensitive files on the affected system. It carries a CVSS 3.1 base score of 7.2 reflecting network attack vector, low complexity, high-privileged access requirements, and high impact across confidentiality, integrity, and availability.
An authenticated remote attacker with administrative credentials can exploit the endpoint to replace critical files, potentially leading to configuration tampering, service disruption, or further system compromise. The attack requires no user interaction and can be executed over the network.
The sole reference points to a Nozomi Networks advisory that details the issue for Q-Free MaxTime.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0304 before settling at the current value of 0.0175, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4168
Vulnerability details
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary overwrite of sensitive files, facilitating exploitation for privilege escalation (T1068), data destruction through overwriting/corruption (T1485), and stored data manipulation (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates path traversal by requiring validation of inputs to the setActive endpoint to reject crafted paths that enable overwriting sensitive files.
Remediates the specific path traversal flaw in maxtime/api/database/database.lua through timely patching or code correction to prevent exploitation.
Enforces least privilege to restrict access to the high-privilege setActive endpoint, limiting who can attempt file overwrite exploits.