CVE-2025-26356

High

Published: 12 February 2025

Published

12 February 2025

Modified

28 October 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0175 82.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26356 is a high-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Q-Free Maxtime. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates path traversal by requiring validation of inputs to the setActive endpoint to reject crafted paths that enable overwriting sensitive files.

SI-2 Flaw Remediation good match

prevent

Remediates the specific path traversal flaw in maxtime/api/database/database.lua through timely patching or code correction to prevent exploitation.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict access to the high-privilege setActive endpoint, limiting who can attempt file overwrite exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Path traversal enables arbitrary overwrite of sensitive files, facilitating exploitation for privilege escalation (T1068), data destruction through overwriting/corruption (T1485), and stored data manipulation (T1565.001).

NVD Description

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.

Deeper analysisAI

CVE-2025-26356 is a path traversal vulnerability classified under CWE-35, present in the setActive endpoint of the maxtime/api/database/database.lua component in Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, this flaw enables an authenticated remote attacker to overwrite sensitive files by sending crafted HTTP requests, potentially leading to unauthorized modifications within the application's file system.

The vulnerability can be exploited by a remote attacker who possesses high privileges (PR:H), requiring network access (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation remains confined to the affected component (S:U) but yields high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 7.2. Successful attacks could allow the overwriting of critical files, compromising system integrity and potentially enabling further malicious actions.

Mitigation guidance and additional details are available in the vulnerability advisory from Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26356.

Details

CWE(s): CWE-35

Affected Products

q-free

maxtime

≤ 2.11.0

CVEs Like This One

CVE-2025-26354Same product: Q-Free Maxtime

CVE-2025-26346Same product: Q-Free Maxtime

CVE-2025-26348Same product: Q-Free Maxtime

CVE-2025-26371Same product: Q-Free Maxtime

CVE-2025-26369Same product: Q-Free Maxtime

CVE-2025-26361Same product: Q-Free Maxtime

CVE-2025-26342Same product: Q-Free Maxtime

CVE-2025-26377Same product: Q-Free Maxtime

CVE-2025-26378Same product: Q-Free Maxtime

CVE-2025-26368Same product: Q-Free Maxtime

References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26356
Third Party Advisory · prodsec@nozominetworks.com