CVE-2025-26341 — AI Deep Analysis Summary

🚨 **Essence**: Critical Access Control Error in Q-Free MAXTIME Suite. <br>💥 **Consequences**: Attackers can **reset ANY user password** via crafted HTTP requests. Total compromise of traffic signal management integrity.

🛡️ **Root Cause**: **CWE-306** (Missing Authentication for Critical Function). <br>🔍 **Flaw**: The `maxprofile/accounts/routes.lua` module lacks identity verification checks.

🏢 **Vendor**: Q-Free. <br>📦 **Product**: MaxTime (Local Traffic Signal Management). <br>📅 **Affected**: Versions **2.11.0 and earlier**.

🕵️ **Attacker Action**: Send specific HTTP requests to bypass auth. <br>🔑 **Privilege**: Reset arbitrary user passwords. <br>📊 **Impact**: Full Control (CVSS 9.8). High Confidentiality, Integrity, and Availability loss.

⚡ **Threshold**: **LOW**. <br>🌐 **Network**: Attack Vector is Network (AV:N). <br>🔓 **Auth**: No Privileges Required (PR:N). <br>👀 **UI**: No User Interaction Needed (UI:N).

📜 **Public Exploit**: No PoC code provided in data. <br>🌍 **Wild Exploit**: Reference to Nozomi Networks advisory exists. Likely exploitable given CVSS 9.8 and low barrier.

🔍 **Self-Check**: Scan for Q-Free MAXTIME Suite. <br>📂 **Target**: Check for `maxprofile/accounts/routes.lua` endpoint. <br>📡 **Test**: Attempt unauthenticated HTTP requests to account routes.

🩹 **Fix**: Update to version **> 2.11.0**. <br>🛡️ **Mitigation**: Ensure authentication is enforced on `routes.lua` functions. Patch is the primary defense.

🚧 **No Patch?**: Implement WAF rules to block unauthenticated access to `/maxprofile/accounts/routes`. <br>🔒 **Network**: Restrict access to management interfaces. Isolate the system.

🔥 **Urgency**: **CRITICAL**. <br>⏱️ **Priority**: Patch immediately. CVSS 9.8 + No Auth Required = High Risk of Active Exploitation. Traffic safety is at stake.