CVE-2025-26344 — AI Deep Analysis Summary

🚨 **Essence**: Critical Access Control Error in Q-Free MAXTIME Suite. <br>🔥 **Consequences**: Attackers can enable password-less guest mode via crafted HTTP requests.…

🛡️ **Root Cause**: **CWE-306** (Missing Authentication for Critical Function). <br>🐛 **Flaw**: The file `maxprofile/guest-mode/routes.lua` lacks proper identity verification.…

🏢 **Vendor**: Q-Free. <br>📦 **Product**: MAXTIME Suite (Local traffic signal management). <br>⚠️ **Affected Versions**: **v2.11.0 and earlier**.

💀 **Attacker Actions**: <br>1. Enable **Guest Mode** without a password. <br>2. Gain unauthorized access to traffic signal management controls. <br>3. Potentially disrupt local traffic flow or manipulate signal data.

⚡ **Exploitation Threshold**: **LOW**. <br>🌐 **Network**: Remote (AV:N). <br>🔑 **Auth**: None required (PR:N). <br>👤 **User Interaction**: None (UI:N). <br>🎯 **Complexity**: Low (AC:L).

📢 **Public Exploit**: **No PoC provided** in current data. <br>⚠️ **Risk**: Despite no public code, the CVSS score is **Critical (9.8)**. Theoretical exploitation is highly feasible due to low barriers.

🔍 **Self-Check**: <br>1. Scan for **Q-Free MAXTIME Suite** services. <br>2. Check version numbers (≤ 2.11.0). <br>3. Attempt to access `/maxprofile/guest-mode/routes.lua` endpoints (if safe/authorized). <br>4.…

🛠️ **Official Fix**: **Patch Available**. <br>📅 **Published**: 2025-02-12. <br>✅ **Action**: Update to a version **newer than 2.11.0** immediately.

🚧 **No Patch? Workaround**: <br>1. **Network Segmentation**: Block external access to MAXTIME Suite ports. <br>2. **WAF Rules**: Filter requests targeting `guest-mode/routes.lua`. <br>3.…

🔴 **Urgency**: **CRITICAL**. <br>📈 **Priority**: **P0**. <br>💡 **Reason**: CVSS 9.8 + Critical Infrastructure (Traffic Control) + No Auth Required. Patch immediately to prevent potential city-wide traffic disruption.