What is CVE-2025-26375?

CVE-2025-26375 is a high-severity privilege escalation vulnerability in Q-Free MaxTime. Attackers can exploit this flaw to create users with arbitrary privileges. Immediate patching is essential to mitigate risks.

What is the severity of CVE-2025-26375?

CVE-2025-26375 has a severity rating of HIGH with a CVSS base score of 8.8.

CVE-2025-26375 | Q-Free - Missing Authorization

CVE-2025-26375 is a high-severity vulnerability affecting Q-Free's MaxTime product. This vulnerability allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests due to a missing authorization check in the maxprofile/users/routes.lua file. The flaw is classified as CWE-862, indicating a significant oversight in access control mechanisms.

The CVSS score of 8.8 reflects a high level of risk associated with this vulnerability, making it crucial for organizations using MaxTime versions up to 2.11.0 to understand its implications. The attack vector is network-based, with a low complexity of exploitation, which means that even attackers with minimal skills can potentially exploit it. The required privileges are low, and user interaction is not necessary, increasing the likelihood of successful exploitation.

Risk to organizations includes unauthorized access to sensitive functionalities, which can lead to significant data breaches or manipulation of user roles within the system. Given the nature of the vulnerability, organizations should prioritize patching immediately.

As of the last update, there are no known public exploits or proof of concepts available for this vulnerability, but the potential for exploitation remains a concern due to its high severity and the ease of access for malicious actors.

Vulnerability Details

The official CVE description states that an authenticated (low-privileged) attacker can exploit this vulnerability to create users with arbitrary privileges. This flaw affects all versions of Q-Free MaxTime up to and including version 2.11.0.

The CVSS score of 8.8 indicates a high severity level, which is critical for organizations to address. The vulnerability falls under the CWE-862 classification, highlighting the missing authorization issue.

Technical Analysis

The root cause of this vulnerability is a lack of proper authorization checks in the code. The attack vector is network-based, allowing attackers to send crafted requests without needing to interact with the system directly. The complexity of the attack is low, meaning that attackers do not require advanced skills to exploit it.

Privileges required for the attack are low, and user interaction is not required. The impact on confidentiality, integrity, and availability is classified as high, meaning that successful exploitation can lead to serious consequences for the affected systems.

Risk & Impact Analysis

Organizations using Q-Free MaxTime should be particularly concerned about the implications of this vulnerability. The potential for unauthorized access to sensitive user management features could allow attackers to escalate their privileges and compromise the integrity of the application.

The blast radius of this vulnerability could extend significantly, especially in environments where MaxTime is integrated with other systems. The urgency for organizations to address this vulnerability is high, given the CVSS score and the potential impact on their operations and data security.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions of Q-Free MaxTime prior to and including version 2.11.0 are affected by this vulnerability. Organizations should upgrade to the latest version to mitigate the risk.

Mitigation & Remediation

Organizations should prioritize patching immediately. Upgrading to the latest version of Q-Free MaxTime will address this vulnerability. In the meantime, implementing network controls to limit access to the application can help mitigate the risk.

Detection Guidance

Monitoring logs for unusual user creation requests and behavioral anomalies can help detect potential exploitation attempts of this vulnerability.

AppSecure Threat Intelligence Insight

CVE-2025-26375 highlights the critical importance of implementing robust access controls in application development. It serves as a reminder for organizations to regularly audit their systems for potential vulnerabilities. For further insights into vulnerability management, organizations can refer to our guide on vulnerability management programs and the importance of continuous security testing. Additionally, organizations should consider penetration testing to identify similar weaknesses in their systems. Lastly, understanding the trends in vulnerabilities can be beneficial, as outlined in our recent article on 2025 vulnerability exposure severity trends.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-26375: High Vulnerability in Q-Free MaxTime