What is CVE-2025-26370?

A high-severity vulnerability in Q-Free MaxTime prior to version 2.11.0 allows authenticated low-privileged attackers to manipulate user group privileges. Immediate patching is crucial to mitigate risks associated with this flaw.

What is the severity of CVE-2025-26370?

CVE-2025-26370 has a severity rating of HIGH with a CVSS base score of 7.1.

CVE-2025-26370 | High Vulnerability in Q-Free MaxTime

CVE-2025-26370 is a high-severity vulnerability affecting Q-Free's MaxTime application, specifically in the maxprofile/user-groups/routes.lua file. This vulnerability allows an authenticated low-privileged attacker to remove privileges from user groups through crafted HTTP requests. The issue stems from a missing authorization check, categorized under CWE-862.

With a CVSS score of 7.1, this vulnerability poses significant risks to organizations using affected versions of MaxTime, which are those prior to version 2.11.0. The potential for an attacker to elevate their privileges could lead to unauthorized actions within the application.

Organizations using Q-Free MaxTime should prioritize patching to version 2.11.0 or later as part of their immediate remediation efforts. Failure to address this vulnerability may result in compromised user group integrity and unauthorized access to sensitive functionalities.

As of now, there are no known exploits publicly available for this vulnerability, making swift action even more critical to prevent potential exploitation.

Vulnerability Details

The official CVE description states that a CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests.

This vulnerability is classified under CWE-862 and has been assigned a high severity rating with a CVSS score of 7.1, indicating a significant impact on integrity and low impact on availability and confidentiality.

The vulnerability was published on February 12, 2025, and affects all versions of MaxTime prior to 2.11.0.

Technical Analysis

The root cause of CVE-2025-26370 is a missing authorization check in the application. This oversight allows authenticated users with low privileges to manipulate user group permissions, leading to potential privilege escalation.

The attack vector is network-based, with low attack complexity. The attacker requires low privileges to exploit this vulnerability, and user interaction is not necessary. There is no impact on confidentiality, while integrity could be compromised, and availability is lightly affected.

Risk & Impact Analysis

Risk to organizations includes unauthorized privilege removal from user groups, which can lead to further exploitation within the system. The blast radius could be extensive, as this vulnerability affects all instances of MaxTime prior to version 2.11.0.

Organizations should assess their exposure to this vulnerability, particularly those with deployments that may allow low-privileged users to access sensitive functionalities. Given the CVSS score and the potential for exploitation, this vulnerability should be addressed urgently.

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions of Q-Free MaxTime prior to version 2.11.0 are affected by this vulnerability.

Mitigation & Remediation

Organizations are urged to patch to version 2.11.0 or later to mitigate this vulnerability. In the event that a patch is unavailable, consider implementing network controls to restrict access to the MaxTime application and conduct thorough monitoring for any unauthorized privilege changes.

For additional guidance, organizations may refer to the following resources: penetration testing and security assessments that can help in identifying and addressing similar vulnerabilities.

Detection Guidance

Monitoring logs for unusual privilege changes or unauthorized access attempts can help in detecting potential exploitation of this vulnerability. Organizations should also be vigilant for behavioral anomalies within the application.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2025-26370 highlights the importance of thorough authorization checks in application development. This serves as a reminder that even low-privileged users can pose a risk if adequate security measures are not in place.

Security teams should take this incident as an opportunity to review their authorization frameworks, ensuring they are robust enough to prevent privilege escalation. Best practices in penetration testing methodologies can further enhance the security posture of applications.

Additionally, organizations may benefit from exploring vulnerability management programs that help in identifying, assessing, and remediating vulnerabilities effectively.

Finally, the integration of security practices from the beginning of the software development lifecycle is critical in ensuring the long-term integrity of applications.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-26370: High Vulnerability in Q-Free MaxTime